First introduced in Nov. 2018, App Mesh aims to simplify communication between microservices running on AWS. With the evolution of service mesh architectures like Istio and Envoy, App Mesh is the next step in standardizing and productizing this technology by providing “rules for communications between microservices, capture metrics, logs, and traces directly into AWS services and third-party tools of your choice” thus making it relatively easy to deploy it.
You can read all about Introducing AWS App Mesh – service mesh for microservices on AWS
to kick start your App Mesh journey.
What Is AWS App Mesh?
AWS App Mesh is a new technology that makes it easy to monitor, control, and debug the communications between microservices. App Mesh uses Envoy, an open source service mesh proxy which is deployed alongside the microservice containers. Main features of App Mesh include monitoring and tracing. App Mesh can be used as a managed microservice container with Fargate, ECS and EKS.
Enhanced Threat Detection and Mesh Microsegmentation with Alcide Security Platform
By natively integrating with App Mesh, Alcide provides customers the following features to secure their service-mesh deployments running on AWS:
- Unified In- and Out-of-the-Mesh Microsegmentation - Providing effective micro-segmentation for PCI-DSS compliance purposes across multi-clusters deployments
- App Mesh Audit and Compliance - Alcide continuously monitors and protects service-mesh environments, making sure no service-mesh misconfiguration or wrongful settings deviate from security best practices
- App Mesh Visualization - Alcide provides end-to-end visualization and observability of the mesh, highlighting which workloads are part of the service mesh and which are out of the mesh/part of the infrastructure.
- Threat Detection - Detecting permissive changes in the AWS security group that allows any external party to access the cluster that is located within the App Mesh, as well as detecting any DNS tunneling activity within the cluster.
With Alcide, AWS App Mesh users can discover, observe, and secure multiple App Mesh deployments continuously.
The App Mesh PCI Angle
Image credit: Alcide
The PCI Data Security Standard is a framework that provides guidelines for any organization that processes, stores or transmits cardholder data. According to PCI compliance the ongoing security of cardholder data is the driving force behind everything PCI DSS compliance and that “one way to reduce vulnerability - and the costs associated with security - is to be sure cardholder data and other consumer information isn’t stored unnecessarily. Organizations need to consider why they collect such information, whether or not collection of such information is absolutely necessary for business purposes, how long they keep the information, and what risks the collection and storage of such information place on their organization as well as other payment-industry stakeholders.”
With Alcide, companies that need to be in compliance with PCI, and that are running on AWS environment, can easily apply effective micro-segmentation that guarantees PCI-compliant microservices cannot be reached by microservices that reside in non PCI-compliant segments, whether within or out of the service mesh - as seen in the image above. Additionally, Alcide can detect and indicate any permissive change to existing AWS security groups that can potentially allow an external third party service to access the cluster via ssh, and expose internal assets. Lastly, Alcide can also detect malware that uses DNS tunneling for sensitive PCI data exfiltration.
With Alcide, companies using App Mesh can benefit from a high resolution triage of App Mesh misconfiguration, anomaly detection and a unified Mesh Microsegmentation. Both In-the-mesh and out-of-the-Mesh.
Contact us today to learn more.