Spurred by the mounting cyber threats targeting the country, the White House issued an Executive Order mandating agencies enhance and strengthen our nation’s cybersecurity. Hence, government agencies must continuously strengthen their cybersecurity postures when modernizing. Part of that process is the implementation of Zero Trust Architecture (ZTA). As a recent analysis in Nextgov suggests, ZTA structured around a service mesh provides a novel and efficient approach to rapidly implementing cybersecurity in legacy applications. Karsun is at the forefront of delivering these service mesh based solutions.
Zero Trust Architecture
ZTA is a strategic cybersecurity strategy to secure an organization by eliminating implicit trust and continuously validating every stage of digital interaction by verifying people and devices accessing applications, data, and systems.
Based on our extensive experience in modernization, we strongly recommend that any modernization efforts adopt a zero-trust architecture. At the same time, ZTA can be challenging to implement when compounded by the presence of legacy systems and applications that aren’t made for a distributed, cloud-based environment.
An effective way to manage and solve that problem is using a service mesh. A service mesh offers a dedicated domain-agnostic infrastructure layer (abstraction) that you can add to your services for capabilities like observability, traffic management, and security without adding them to your code. While most commonly used for cloud-native capabilities, such as microservices and containers, a service mesh can be the most efficient way to bring legacy systems into the ZTA fold.
Karsun’s Service Mesh Pilot
Our Innovation Center pilots and validates innovative approaches to enterprise modernization through several pathways, including Innovation Weeks, codeathons and delivery-guided pilot programs. In one such pilot program, we introduced a service mesh in a legacy application system. While common for containerized systems, our implementation went one step further, examining the opportunity for ZTA modernization in a non-containerized legacy application. We found a service mesh based approach provides a compelling alternative to lift and shift methods.
Most service mesh solutions are designed to be used in a Kubernetes environment. In our proof of concept, using HashiCorp Consul we built a service mesh for a non-containerized legacy app. Using a service mesh allowed us to adapt the legacy application to meet the identity management requirements of a zero trust environment.
A core ZTA tenant requires us to verify the identity of resources accessing the system. Combining HashiCorp Vault allowed us to integrate with Google OAuth2 for identity and access management. Users and applications authenticated happens before their request reaches servers or containers.
When implementing ZTA, you also should provide the lowest level of privileges possible. In our implementation, the services always start with no trust and no allowed routes. We configured all traffic via policies to ensure only authorized sources get access to the services. We also secured service-to-service communications while controlling outbound communication. With our service mesh, we found we could secure communications between Windows Server hosted applications and Linux based containers operating on Kubernetes through AWS EKS or AWS Elastic Container Service.
Combining these two tenets ensures a bad actor using compromised credentials does not have the attack surface necessary for great damage to the system. A service mesh like that implemented by our pilot team supports the identity and access management necessary for a true ZTA environment. Moreover, it can be used in both containerized and non-containerized environments. It is a powerful option for agencies looking to build ZTA for greenfield development and legacy application modernization.
Our Zero Trust Architecture Service Mesh is a product of the Karsun Innovation Center (KIC). Want to learn more? Check out the new Getting Legacy Systems Up to Speed With Modern Security report from GovLoop.