VMware Tanzu® Service Mesh™ Enterprise is a superset of Tanzu Service Mesh Advanced that integrates with the platform, DevOps, and DevSecOps for delivering application connectivity, resiliency, performance, and API security. API security capabilities of Tanzu Service Mesh Enterprise include API vulnerability detection and mitigation, PII segmentation, and API security visibility.

Overview

Traditionally, applications were developed as monoliths, self-contained, and ran on homogenous workloads. Threats came from outsiders trying to breach perimeter defenses to gain unauthorized access to in-memory and/or at rest data.

As applications became highly distributed, their workloads started spanning across the network and in many cases between private data centers to the cloud and even across clouds. This proliferation significantly increases the number of exposed endpoints. As a result, the defense perimeter has expanded and become intrinsically more complex. Now more and more data is transient instead of at rest making it more difficult to protect. Likewise, attackers are no longer outsiders infiltrating the perimeter defenses and into infrastructure. They are now leveraging the same cloud capabilities that their targets do, and act as insiders moving east-west across layer-4 and layer-7 endpoints.

Additionally, infrastructure has become more robust, mature, and hardened. Thus, hackers are shifting from attacking the infrastructure plane (or Layer-3 and 4) to the application plane (i.e., layer-7). This makes distributed layer-7 (aka application plane) data-in-motion a far broader attack surface and the path of least resistance for hackers than before.

To secure applications, enterprises today deploy one or more perimeter-based solutions, such as network firewalls, web application firewalls (aka WAFs), and API Gateways (offering API translation, authentication and authorization services), some of which has just been repurposed for virtualized environments. Not only are these ineffective at securing distributed workloads, but they also do not address deep application-layer attacks and data leaks.

Some organizations are using network-layer micro segmentation solutions to combat east-west threats when the perimeter is breached. While these solutions are distributed, they still focus on the network layer and do not protect against application-layer attacks. Other solutions such as container firewalls or vulnerability management offerings either focus on a single type of workload (i.e., containers), and/or do not address attacks embedded deep within application-layer components such as REST & GRPC APIs, Kafka message bus, MySQL data access, etc.

All these solutions are either inefficient or ineffective in defending against distributed, application-layer attacks and data breaches. Therefore, what is needed is a comprehensive and highly distributed security approach that focuses on data-in-motion at the application layer, or in other words, an Application Security Mesh. Tanzu Service Mesh Enterprise by VMware is one such solution to protect and secure your applications from data exposure risks and deep application layer vulnerabilities.

Why Tanzu Service Mesh Enterprise

Tanzu Service Mesh Enterprise can address all the security and connectivity requirements that modern applications demand in production. These include Resiliency, Connectivity, Observability, and Security. Listed below are the most noteworthy features that Tanzu Service Mesh Enterprise has to offer:

  • Application Resiliency. Resiliency is achieved through predictable application response times, SLO, rollouts, and autoscaling in multi-cluster and multi-cloud deployments.

  • Secure Application Connectivity. GNS provides strong isolation for applications. Global SVC Identities, certificate management, and mTLS encryption are used for secure communications.

  • Application Performance Visibility. Observability and monitoring of services based on operation metrics, topology maps, service graphs, traffic flows, and performance metrics.

  • API Security. API security is achieved through API vulnerability detection and mitigation, API baselining, and API drift detection (including API parameters and schema validation).

  • Personally Identifiable Information (PII) segmentation and detection. PII data is segmented using attribute-based access control (ABAC) and is detected via proper PII data detection and tracking, and end-user detection mechanisms.

  • API Security Visibility. API security is monitored using API discovery, security posture dashboards, and rich event auditing.