Building applications using microservices offers developers the ability to better scale their applications and take better advantage of public and hybrid cloud architectures. The ability to split each part of the application into independent codebases that perform one specific task means that each self-contained service can increase in size independently as its needs change, providing for this scalability. And it allows cross-functional teams to develop, test, and update services independently, leading to faster deployments and updates.
Though there are significant advantages to a microservices architecture, it can also be much more complex to manage and secure. With the potential for hundreds of services, it’s challenging for developers to keep track of component interactions, health, performance, and security.
In a recent SPIFFE blog post, Nathalia Satie Gomazako points out how a service mesh solves the problem of inter-service communications. By controlling service-to-service communication over a network, it allows separate parts of an application to communicate with one another. She explains how Istio is a very popular service mesh that does just this.
Nathalia goes on to explain how SPIRE, the reference implementation of SPIFFE, the Secure Production Identity Framework for Everyone, can integrate with Istio and assist with security concerns, especially when dealing with a multi-cloud infrastructure. This integration extends Istio capabilities by allowing workloads to be identified and to get their identities by a pre-defined set of assigned attributes. With this attestation process, Istio can securely issue cryptographic identities to workloads.
Her article, Hardening Istio security with SPIRE, is a quick 3-minute read and quite informative. I highly recommend it.