The recent executive order of the president on improving the country’s cybersecurity highlights the security threats facing our country, and could not be more timely.
Ransomware has been an ever-present threat to U.S. hospitals, financial institutions, and infrastructure. Colonial Pipeline hacking forced the closure of the largest gas pipeline in the United States, prompting emergency declarations in 17 states amid gas shortages and rising prices. The White House’s new cybersecurity executive order outlines the critical actions needed to better defend and prevent similar threats in the future.
The order states that “to protect our nation from malicious cyberactors, the federal government needs to partner with the private sector.” The private sector must “adapt to the ever-changing threat environment, ensure that its products are built and operate safely …”
The order also details that the federal government “must adopt best security practices; move toward Zero Trust Architecture; accelerate the move to protect cloud services, including software as a service (SaaS), infrastructure such as to service (IaaS) and the platform as a service (PaaS) … ”Specific security measures are described, including the authentication and encryption of various factors at rest and in transit, as well as approaches to authenticate all Connection requests, with centralized controls constantly implemented and much more.
How is the order applied to modern application networks and current cloud-based technologies? The rise of hybrid and multi-cloud environments, distributed microservices applications, and container orchestration with Kubernetes imply the need for a network of zero-trust applications that work consistently and comprehensively across diverse heterogeneous environments.
Contextualizing these trends with the executive order clearly implies that API gateways and service meshes have suddenly become a critical software infrastructure, not only for the U.S. federal government, but also for any private enterprise. who wants to be a technology provider for the government.
It is imperative that all private companies and government organizations work together to ensure connectivity for distributed microservices applications, in containers, which makes perfect sense as attackers investigate the entire digital supply chain and its implementation, without restricting -to any element of the total stack of technology. .
So where do API gateways and service meshes come into play? Everywhere. Both businesses and governments need to enable secure connectivity for their microservice applications, both internal and external to the nominal limits of organizations, data centers, clouds, and on the edge of mobile and desktop applications. individual users, and even the Internet of Things (IoT) infrastructure, such as a pipeline.
An API gateway is the first “entry” point of contact for the zero-trust architecture, receiving, detecting, and routing incoming application requests to the appropriate applications. For a mesh of services, it does not matter whether the underlying applications run as microservices in Kubernetes-orchestrated containers, in virtual machines, in cloud computing instances, or in monoliths inherited from bare metal servers, all security policies are ‘must be managed centrally and consistently. and is applied automatically.
The best modern API gateways are built from the open source Envoy proxy and most open service nets are built from the open source Istio, but there are vendors that are committed to expanding projects with commercial offerings that are much safer, even ready federal information processing (FIPS) standards.
Secure API gateways and service meshes should include features such as mutual transport layer encryption (TLS and mTLS), the ability to manage secrets (credentials), a web application firewall (WAF) , data loss prevention (DLP), extensible certificate based authentication (including API keys, JSON Web Tokens, LDAP, OAuth, and OIDC), federated access controls (RBAC) and delegation, Open Policy Agent authorization Takeover) and vulnerability scanning.
API gateways and service meshes must also be reliable when placed under heavy load, such as a DoS attack, with features such as rate limiting, quotas, load balancing, and l global migration migration to other resources, if necessary. Unified access logging and observability through a central administration panel and tools such as Prometheus or Grafana are also requirements.
What is clear is that a very fast executive order becomes more complicated to implement when interpreted in the context of modern applications and mixed operating environments. But if public and private organizations want to join the fight for modern application security, they should review and evaluate the many tools needed to succeed in this fight. And it is clear that the battle to prevent and prevent cyberattacks affects us all.