Explore foundational concepts of zero-trust security principles within service mesh and API gateway environments. This quiz will assess understanding of key elements such as authentication, encryption, traffic policies, and the differences between service mesh and API gateway security in modern distributed systems.
In a zero-trust security model applied to service mesh, what is the primary assumption regarding network traffic inside the perimeter?
Explanation: Zero-trust security assumes that no traffic, even internal traffic, should be trusted by default; all traffic must be verified. The idea of trusting all internal traffic is outdated and insecure. Blocking all traffic at all times is impractical and would halt system operations. Focusing only on external traffic ignores the risks posed by lateral movement within the network.
Why is mutual TLS (mTLS) important in a zero-trust service mesh setup when services communicate with each other?
Explanation: Mutual TLS secures service-to-service communication by encrypting data and ensuring both parties authenticate each other, aligning with zero-trust goals. Faster data transfer is unrelated; encryption usually introduces a small overhead. Preventing request logging is not a feature of mTLS, and scaling services is a separate matter handled by other mechanisms.
Which is a typical function of an API gateway relevant to zero-trust security, but not generally performed by a service mesh?
Explanation: API gateways often handle user-centric authentication at the entry point, enforcing who can access APIs, which aligns with zero-trust. Service discovery and east-west traffic encryption are core responsibilities of service meshes. Circuit breaking is typically performed within the service mesh rather than at the API gateway.
If only the inventory service should read the order service data, which zero-trust security feature enables this policy in a service mesh?
Explanation: RBAC ensures that only specified services or users have required access, implementing least-privilege policies vital for zero-trust. Deployment scaling and auto-sharding are related to availability and data distribution, not access control. Traffic mirroring is used for testing or analysis, not for enforcing permissions.
In a distributed system secured by zero-trust, how does a service mesh mainly secure east-west traffic?
Explanation: Service mesh focuses on internal (east-west) traffic by encrypting communication and authenticating identities, preventing unauthorized access. Denying all incoming requests concerns north-south traffic and would block valid usage. Caching and limiting outgoing internet connections are not the primary approach for east-west security.
Which principle best describes the access policies in a zero-trust security architecture for microservices?
Explanation: Zero-trust is built around the principle of denying access by default and granting it only when specific conditions are met. Allowing all internal requests undermines security. Randomly allowing or denying has no basis in security. Blocking all requests would prevent any business operations.
How does implementing rate limiting in an API gateway contribute to zero-trust security?
Explanation: Rate limiting restricts the number of API calls, protecting against abuse like brute force attacks, which is important for zero-trust. It does not handle encryption or provide failover capabilities. While it reduces risk, it cannot fully eliminate internal threats.
What zero-trust action should a service mesh take before allowing a service to discover and connect to another service?
Explanation: Zero-trust requires identification and permission checks before service connections. Verifying network speed is unrelated to security. Logging is helpful but insufficient without access controls. Open connections without validation directly violate zero-trust principles.
Why should data at rest be encrypted, even in a zero-trust environment using service meshes and API gateways?
Explanation: Encryption at rest safeguards sensitive data from unauthorized access if hardware or backups are stolen. It does not impact database speed, data size, or network latency. These other options are unrelated to encryption's security purpose.
Within a zero-trust approach in API gateways, what does continuous verification refer to?
Explanation: Continuous verification means that system repeatedly checks if users or services are authorized during ongoing sessions, limiting the impact if credentials are stolen. Initial connection-only checks miss later risks. Time-based communication and password-only access without ongoing checks contradict zero-trust principles.