Idit Levine, is the founder and CEO of the unicorn service mesh platform, Solo.io.
Some say that it was her professional basketball career that gave her the drive to develop such a successful enterprise. Others report her success should be attributed to her ability to self-teach solution-based skills. Likely, it’s both.
Idit’s dialled-in focus for how enterprises can connect hard-to-change, tested applications with more modern, flexible microservices and service mesh is worthy of her organisation’s 1 Billion Dollar Valuation.
M.R. Rangaswami: Modern enterprise infrastructure and next gen technologies such as modern cloud native and microservices have basically eliminated the perimeter, so how has this affected security as a whole?
Idit Levine: Not so long ago, a perimeter separated a company’s assets from the outside world. Now, there is no “inside” versus “outside”; everything is considered outside. A larger attack surface—the number of exposed and potentially vulnerable resources within your enterprise—means more opportunities for cybercriminals. And the average cost of a data breach in the U.S.? A staggering $9.44 million. Forward-looking organizations have implemented defense-in-depth (DiD), a multi-layered cybersecurity approach with several defensive mechanisms set up to protect valuable data and information. Others are implementing zero-trust, which basically means check, check again, then trust in order to verify.
One of a modern organization’s biggest challenges is assessing exactly how many entities they must secure. Keep in mind that microservices and modern applications have exponentially more pieces than previous generations of applications. One microservice may contain 10 pieces while a previous application had only one. Once you break down these multi-part applications and services, you must factor in how all these pieces communicate over the network—a network that should be inherently untrusted.
M.R.: Service mesh has long been thought of more as a DevOps solution, but can it too help with modern security?
Idit: Service mesh tackles the prime challenges of developing and securing microservices and modern applications (different teams using different languages and frameworks) by moving authentication and authorization to a common infrastructure layer. The service mesh helps authenticate between services to ensure secure traffic flow, also enforcing service-to-service and end-user-to-service authorization. Service mesh enforces role-based access control (RBAC) and attribute-based access control (ABAC). A service mesh can validate the identity of a microservice as well as the resource (server) running the microservice.
A service mesh also acts as traffic control within the network, freeing application teams to focus on building applications that benefit the business—without taking on the additional task of securing these applications. The service mesh delivers consistent security policies for inside and outside traffic and flexible authentication of users and machines. It also enables cryptographically trusted authentication for both users (humans) and machines or applications. Cryptographic security depends on keys to encrypt and decrypt data to verify and validate users. In addition to enabling encrypted paths between applications, service mesh allows for flexible failover (and improved uptime) and known points for security logging and monitoring.
M.R.: Does zero trust have a play here? How should InfoSec treat a zero trust strategy?
Idit: It’s been a year since president Joe Biden issued a cybersecurity executive order spelling out the importance of adopting a zero-trust cybersecurity approach, yet only 21% of critical infrastructure organizations have adopted a zero-trust model.
The zero-trust approach is essential for fast-moving, cloud-native application environments. Many commercial organizations and government agencies are turning to service mesh to bolster their zero-trust initiatives. Government agencies, for example, always struggle to secure high-value assets (including critical infrastructure) from hackers and bad actors. And these attackers can be internal (disgruntled employees or contractor/vendor breaches) or external (foreign nation-state threat actors). As a result, there are no insiders or outsiders; everyone is outside and untrusted until proven otherwise.
Service mesh is one of the simplest ways to enable zero-trust security. A service mesh helps authenticate and cryptographically validate and authorize people, devices and personas. It can further be used to enforce policies and identify potential threats.
M.R. is the Co-Founder of Sandhill.com