How to implement cybersecurity for modern application connectivity
The president’s recent executive order on improving the nation’s cybersecurity highlights the security threats facing our country — and it couldn’t be more timely.
Ransomware has been an ever-present threat to hospitals, financial institutions, and U.S. infrastructure. The Colonial Pipeline hack forced a shutdown of the U.S.’s largest fuel pipeline, leading to emergency declarations in 17 states amidst gas shortages and price hikes. The White House’s new cybersecurity executive order outlines the critical actions required to better defend against and prevent similar threats in the future.
The order states that “protecting our nation from malicious cyber actors requires the federal government to partner with the private sector.” The private sector must “adapt to the continuously changing threat environment, ensure its products are built and operate securely…”
The order also details that the federal government “must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS)…” Specific security measures are outlined, including multi-factor authentication and encryption for data at rest and in transit, as well as approaches for authenticating all connection requests, having consistently-implemented centralized controls, and more.
How does the order apply to today’s modern application networks and cloud-first technologies? The rise of hybrid and multi-cloud environments, distributed microservices applications, and container orchestration with Kubernetes all imply a need for zero-trust application networking that operates consistently and comprehensively in diverse heterogeneous environments.
Contextualizing these trends with the executive order clearly implies that API gateways and service meshes have suddenly become critical software infrastructure, not just for the US federal government but also for any private business that wants to be a technology supplier to the government.
It is imperative that all private businesses and governmental organizations collaborate to secure connectivity for distributed, containerized, microservices applications, which makes perfect sense since attackers probe the entire digital supply chain and its implementation, not restricting themselves to any one element of the total technology stack.
So, where do API gateways and service meshes come into play? Everywhere. Both businesses and governments need to enable secure connectivity for their microservices applications, both internal and external to the organizations’ nominal boundaries, in data centers, in clouds, and out to the edge for individual users’ mobile and desktop applications, and even Internet of Things (IoT) infrastructure – like a gas pipeline!
An API gateway is the first point of “ingress” contact for zero-trust architecture, receiving, screening, and routing incoming application requests to the appropriate applications. For a service mesh, it doesn’t matter if the underlying applications are running as microservices on Kubernetes-orchestrated containers, on VMs, on cloud compute instances, or on legacy monoliths on bare metal servers, all security policies should be centrally administered and consistently and automatically enforced.
The best modern API gateways are built starting from the open-source Envoy Proxy and most open service meshes are built starting from the open-source Istio, but there are vendors who have made it their business to expand on the projects with commercial offerings that are much more secure, even Federal Information Processing Standards (FIPS) ready.
Secure API gateways and service meshes should include features like mutual transport layer encryption (TLS and mTLS), the ability to manage secrets (credentials), a built-in web- application firewall (WAF), data loss prevention (DLP), extensible certificate-based authentication (including API Keys, JSON Web Tokens, LDAP, OAuth, and OIDC), federated role-based access controls (RBAC) and delegation, Open Policy Agent (OPA) authorization, and vulnerability scanning.
The API gateways and service meshes also need to be reliable when put under heavy load like a DoS attack with features like rate limiting, quotas, load-balancing, and global failover routing to other resources if needed. Access logging and unified observability through a central admin dashboard and tools like Prometheus or Grafana are also requirements.
What is clear is that a sweeping executive order very quickly becomes more complicated to implement when interpreted in context of modern applications and mixed operating environments. But if public and private organizations want to join in the fight for modern application security, they should review and assess the many tools needed to be successful in that fight. And clearly, the battle to preempt and prevent cyberattacks is one that affects us all.