The sweeping US executive order of cybersecurity for both private and government organizations have called for a reassessment of tools and strategies
The shutdown of the colonial pipeline led to new cybersecurity executive order that lays out critical action to defend organizations from cyberattacks better. The order mentions zero trust strategy and the security of cloud services.
The executive regulation states that the federal government will partner with the private sector to protect the nation from malicious threats. The private sector has to adapt to the rapidly changing threat environment and secure its products to the best of its ability. Adoption of security strategies that advance zero trust architecture to secure SaaS, IaaS, PaaS is essential. Multi-factor authentication and data encryption have also become mandatory. How does this law affect the cloud-first technology and application network?
Industry leaders state that the sweeping executive order has not foreseen complications. It becomes more complex to follow regulations when the context of modern applications and hybrid operating environments are considered. Both private and public organizations that want to defend themselves from cyber threats by implementing the executive order need to review and access the numerous tools that are actually needed first.
The rise of multiple and hybrid cloud environments and distributed micro-service applications indicate that a zero-trust application networking that consistently functions in various environments is necessary. With the announcement of the order, API getaways and service meshes will become crucial software infrastructure for both the US government and private businesses that supply technology to them.
A zero-trust architecture begins with an API getaway as it receives, screens, and re-routes application requests to intended applications. On the other hand, a service mesh is not affected by underlying applications that are running as micro-services on VMs, cloud computing, on legacy monoliths, or Kubernetes-orchestrated containers. All the security policies have to be centrally, consistently, and automatically administered.
Experts believe that most API gateways are built from the open-source Envoy Proxy, and service meshes begin at the open-source Istio, but many vendors have expanded the projects with commercial offerings that include Federal Information Processing Standards and claim to be more secure.
Secure API gateways and service meshes should include mutant transport layer encryption, manage credentials, possess a built-in firewall, prevent loss of data, and have the ability of vulnerability scanning. They also include extensible certificate-based authentication, federated role-based access controls, and OPA authorization. Businesses expect them to be reliable even under the stress of a heavy DoS attack by possessing features such as load-balancing, rate limiting, quotas, and global failover re-routing.
The security of private and government micro-service applications includes internal and external boundaries in data centers, clouds, and the network edge. The API gateways are also needed to secure mobile and desktop applications along with the IoT devices.
It is important to establish a collaboration between private businesses and government organizations to successfully secure containerized and distributed micro-services applications. Experts explain that the move is necessary because the cyber threat does not affect a single element of the technology stack but the whole digital supply chain and its implementation. API gateways and service meshes are needed everywhere.