Secure Service Mesh

Building a secure infrastructure is challenging. In addition to security requirements, any protection needs to deliver exceptional performance that minimizes latency. In modern Service Mesh deployments, proxy services such as Hashicorp Consul or Envoy are executed alongside back-end applications to handle tasks like TLS termination, access-control policy enforcement, and more. The security of the service mesh relies on multiple requirements that are not trivial to fulfill. The following quote from Hashicorp Consul’s Threat-Model documentation articulates this problem:

The following are not part of the Consul threat model for Consul server agents:

Access (read or write) to the Consul data directory. All Consul servers, including non-leaders, persist the full set of Consul state to this directory. The data includes all KV, service registrations, ACL tokens, Connect CA configuration, and more. Any read or write to this directory allows an attacker to access and tamper with that data.

Access (read or write) to the Consul configuration directory. Consul configuration can enable or disable the ACL system, modify data directory paths, and more. Any read or write of this directory allows an attacker to reconfigure many aspects of Consul. By disabling the ACL system, this may give an attacker access to all Consul data.

Memory access to a running Consul server agent. If an attacker is able to inspect the memory state of a running Consul server agent the confidentiality of almost all Consul data may be compromised. If you're using an external Connect CA, the root private key material is never available to the Consul process and can be considered safe. Service Connect TLS certificates should be considered compromised; they are never persisted by server agents but do exist in-memory during at least the duration of a Sign request.

Anjuna Runtime Security secures service-mesh components and in particular sidecar proxies such as Consul or Envoy to avoid potential compromise. It protects keys, ensures integrity of configuration and access policies, and creates a secure perimeter around the sidecar proxy and the back-end application. By executing them in a secure enclave inside the CPU, Anjuna helps avoid the latency that results from roundtrip traffic needed for conventional HSMs or isolated servers. The high-performance CPU minimizes latency so organizations can enjoy performant services. Anjuna delivers confidence with the knowledge that sensitive TLS keys and configuration parameters are secured at runtime against compromise.