The document discusses the implementation of compliance and zero trust principles using Istio Ambient Mesh, a sidecar-less data plane designed to improve performance and simplify operations in cloud-native environments. It emphasizes the importance of a zero trust architecture that requires strict verification of resources and dynamic access control to maintain security in distributed systems. The document also outlines the benefits of Istio Ambient Mesh, including reduced attack surface, operational simplicity, and enhanced security features.

1. Solving for Compliance and
Zero Trust with Istio Ambient
Mesh
Christian Posta, Global Field CTO

2. 2 | Copyright © 2022
CHRISTIAN POSTA
VP, Global Field CTO, Solo.io
@christianposta
christian@solo.io

3. 3 | Copyright © 2022
Solo.io - The Next Step in Your Cloud Journey
Well Funded ($135M), $1B Valuation
Satisfied Customers (135% Renewals)
Cloud-native Technology Leadership
Cloud-native Education Leadership
The Service Mesh and API Platform
for Kubernetes | Zero-Trust | Microservices

4. 4 | Copyright © 2022
What does it mean to “trust”?

5. 5 | Copyright © 2022

6. 6 | Copyright © 2022
Trust-Full Security

7. 7 | Copyright © 2022
Trust-Full Security

8. 8 | Copyright © 2022
Trust-Full Security

9. 9 | Copyright © 2022
Perils Lurking…

10. 10 | Copyright © 2022
CORP is Distributed

11. 11 | Copyright © 2022
Industry compliance (PCI, FedRAMP, PHI, PII, etc)
● Maintain a secure network
● Restrict sensitive data (card holder, patient health, identifiable info, etc)
● Track vulnerabilities, patch/upgrade known vulnerabilities
● Implement strong access control to sensitive data
● Monitor, track, and dynamically alter policy

12. 12 | Copyright © 2022
Tenets of Zero Trust
• Assume a Hostile Environment - There are malicious persona both inside and outside the
environment
• Presume Breach - Operate and Defend resources with the assumption that an adversary
has presence in your environment
• Never Trust, Always Verify - Deny by default. Every resource is explicitly authorized using
least privilege multiple attributes, and dynamic cybersecurity principles
• Scrutinize Explicitly - Access to resources is conditional and access can dynamically
change based on action and confidence levels resulting from those actions
• Apply Unified Analytics - for data, applications, assets, services to include behavioristics
and log each transaction

13. 13 | Copyright © 2022
Zero Trust Security

14. 14 | Copyright © 2022
Zero Trust Security

15. 15 | Copyright © 2022
Zero Trust Architecture Frameworks
NIST, CISA Zero Trust Framework MIT ZTA Framework: Principles -> “Job to be done”
Identity
Verification Access
Control Resource
Protection
Policy and Orchestration
Monitoring and Analytics
Continuous Cybersecurity
Operations

16. 16 | Copyright © 2022
Zero Trust Architecture Frameworks
NIST SP
800-204A/B
NIST SP 800-53
NIST SP
800-207
Service Mesh Configuration
Network Policy 𑇐 Transparent TLS encryption
L
4
L
7
Strong Identity
Authentication, Authorization and Audit (AAA)
API Gateway 𑇐 OpenAPI Spec
Future Controls
GitOps
Friendly
Traffic Policy 𑇐 A/B 𑇐 Canary 𑇐 OWASP

17. 17 | Copyright © 2022
Boiling it Down…
● All communication to resources is secured, regardless of location on the
network
● Access to resources is granted per session
● Access to resources is determined dynamically
● All-access is authenticated and authorized
● Access is tracked, logged, audited, and can be dynamically revoked

18. 18 | Copyright © 2022
Zero Trust (abstract)

19. 19 | Copyright © 2022
Service Mesh Can Help

20. 20 | Copyright © 2022
What is Service Mesh?

21. 21 | Copyright © 2022
Application Networking

22. 22 | Copyright © 2022
Application Networking

23. 23 | Copyright © 2022
Application Networking

24. 24 | Copyright © 2022
Application Networking

25. 25 | Copyright © 2022
Application Networking

26. 26 | Copyright © 2022
Application Networking

27. 27 | Copyright © 2022
Application Networking

28. 28 | Copyright © 2022
Istio - Open Source Service Mesh
2017
Istio Launched
Data Plane
Enhancements
2019-20
7 New Community Releases
1000s Production Users
~ 1000 Community Contributors
2022
CNCF
2019-2022

29. 29 | Copyright © 2022
Can this be improved?

30. 30 | Copyright © 2022
Istio Data Plane
https://www.solo.io/blog/ebpf-for-service-mesh/

31. 31 | Copyright © 2022
Istio Data Plane
https://www.solo.io/blog/ebpf-for-service-mesh/

32. 32 | Copyright © 2022
Istio Data Plane
https://www.solo.io/blog/ebpf-for-service-mesh/

33. 33 | Copyright © 2022
Introducing Istio Ambient Mesh
A new, open source contribution to the Istio project,
that defines a new sidecar-less data plane.
Improve
Performance
Simplify
Operations
Cost
Reduction
https://istio.io/latest/blog/2022/introducing-ambient-mesh/

34. 34 | Copyright © 2022
How does it work?
● Separate mesh capabilities into L4
and L7
● Adopt only the capabilities you need
● Remove the data plane from the
workload Pods
● Leverage more capabilities in the
CNI
● Reduce attack surface of data plane

35. 35 | Copyright © 2022
How does it work?

36. 36 | Copyright © 2022
How does it work?

37. 37 | Copyright © 2022
Benefits
● No more race conditions between workload
containers and sidecar/init-container, etc
● Don’t need to inject Pods / alter
deployment resources
● Upgrades/patching are out of band /
transparent from the application
● Limited risk profile for opting into mesh
features
● Reduced blast radius of application
vulnerabilities
● Cost savings with reduced data plane
components
● Maintain isolated tenancy, customization,
configuration
● Maintain the foundations of zero-trust
network security
● Improved performance

38. 38 | Copyright © 2022
Demo

39. 39 | Copyright © 2022
Additional Resources
● https://lp.solo.io/white-paper-zero-trust
● https://www.solo.io/blog/apis-data-breach-zero-trust/
● https://www.solo.io/topics/zero-trust/
● https://www.solo.io/zero-trust/
● https://academy.solo.io
● https://istio.io
https://lp.solo.io/istio-ambient-mesh-explained

40. Thank You!