We’re pleased to announce the v1 release of a new open source software with initial contribution by SGNL - Tratteria.
Attackers that compromise credentials or steal tokens primarily target your trusted infrastructure. At the same time, insider threats have skyrocketed, and software supply chain attacks are surging. All these can cause enormous damage by abusing your existing microservices through malicious internal API calls. The primary reason is that microservices in a VPC trust each other blindly, or leverage insecure mechanisms such as passing an external authorization token internally.
Transaction Tokens (TraTs) is a new draft specification in the OAuth working group of the Internet Engineering Task Force (IETF). The co-authors of this specification are from Microsoft, Capital One, and SGNL . TraTs greatly reduce the trust that services within your infrastructure have to place on each other. TraTs make it nearly impossible for attackers who may be lurking in your infrastructure - such as malicious insiders, malicious code injected through your software supply chain, or through privileged identity compromise - to make internal calls appear as legitimate user requests. TraTs are short-lived digitally signed JSON Web Tokens (JWTs) that assure the identity and the context of the original initiating invocation (e.g. an end-user request or an external API call) throughout the resulting internal “call chain” that may span a number of microservices.
Tratteria is a Kubernetes-native framework designed to facilitate the adoption of TraTs in existing applications to secure their call chains. The framework consists of a TraTs issuance service, a Kubernetes custom controller for configuration management, and sidecar agents for verifying TraTs. Tratteria assumes applications use SPIFFE for service-to-service trust. TraTs generation and verification policies for APIs are described using Kubernetes Custom Resources, allowing applications to describe their services, API endpoints, and immutable context elements (such as path and query parameters, headers, and body elements). Convenient defaults let applications reuse such policy descriptions across a number of microservices. Tratteria documentation includes a tutorial on why TraTs are required, what they are, and how to use them in existing applications. It has a quickstart guide that provides a sample application, which uses the Dex IdP for user authentication and shows the TraTs to the user. While Tratteria can operate alongside service meshes such as Istio, ongoing development aims to optimize this integration, potentially leveraging existing Istio capabilities for improved overall functionality.
“After we left Google, Atul and I were surprised there wasn’t any open source that could securely assure identity and context in microservices call chains. In talking to folks from other large tech companies, we realized that they all landed on a similar solution pattern”, said Erik Gustavson, CPO and co-founder of SGNL “So we helped develop the Transaction Tokens standard, and we’re thrilled to launch the Tratteria open source framework to help secure microservices”.
Download and get started now at: tratteria.io
FAQ
- What is being announced?
A new open source project that vastly improves security in microservices - Isn’t this already covered by standards like SPIFFE?
SPIFFE provides trust between microservices, but an insider or malicious code in an organization’s infrastructure can make spurious calls that appear indistinguishable from legitimate user requests or external API requests. Or the identity and context in existing calls can be changed even if you are using SPIFFE. - Don’t service meshes like Istio provide this?
Istio or other service meshes leverage SPIFFE or similar service-to-service trust mechanisms. Because of this, they do not assure the identity and context within a call chain. - OK, so what can I do now that I couldn’t before?
You can be assured that a compromise of your infrastructure cannot be leveraged by attackers to subvert your running code and services by injecting malicious internal API calls or altering internal API calls between your components. - I already have SPIFFE, can I still use Tratteria?
Yes, Tratteria assumes that the service-to-service layer has been secured using SPIFFE - I already have Istio or another service mesh. Can I still use Tratteria?
Yes, Tratteria can work alongside existing service meshes - I already have a complex application with tens of microservices. How easy is it for me to use Tratteria?
Tratteria is designed such that you can drop it into existing microservices applications. You only need to specify the Tratteria configuration, integrate it with the incoming external invocations, and where applicable, add the Txn-Token header to downstream calls between microservices.
About SGNL
Backed by Microsoft and Cisco, SGNL, a company founded by former Google executives helps enterprises minimize damage from identity breaches, social engineering / phishing attacks and malicious insiders. It does so by dynamically adjusting permissions based on data in existing business systems of record, in order to provide employees with the right access at the right time to AWS, Azure, GitHub, Salesforce, APIs and internal applications.