Tidepool deals with personal and private health information. In the United States, this information is protected by law: HIPAA requires that all communication of protected health information (PHI) be encrypted in flight and at rest.
Our legacy solution for in-flight encryption is to communicate using HTTPS between microservices using a single, shared, long-lived, self-signed TLS certificate. We wanted to do better.
The problem with our legacy solution is that we had used the same certificate for several years. If that certificate were compromised, then all user data could be exposed. We wanted a solution that supports easy certificate rotation. We also wanted a solution that does not require us to change our base services. We want to extract the security needs outside of the service. For this, a service mesh is ideal.
A service mesh intercepts all traffic between services. By doing so, it can inspect the traffic or modify it. By encrypting the traffic using mutual TLS, a service mesh can protect traffic between services from being read.
There are several service mesh offerings, including Istio and Linkerd. Each service mesh is composed of two sub-systems: a control plane and a data plane. The control plane is used for configuring the data plane. The data plane actually touches service to service traffic.
In the case of Istio, the data plane is based on the feature-rich Envoy proxy from Lyft. In the case of Linkerd, the data plane uses a custom-built proxy. Both proxies can be used to perform mutual TLS, collect telemetry, and implement timeouts and retries. The Linkerd proxy has much better performance (as measured by request latency).
We investigated Istio 1.1 in mid-2019 and found it rather complicated to install and maintain. By contrast, Linkerd 2.4 was easy to install. We selected Linkerd for its simplicity.
On the horizon
Since then, Istio has made great strides to reduce complexity. The Istio 1.5 release embraces the Kubernetes operator pattern, which should simplify the installation and maintenance of an Istio deployment. We will keep our eye on Istio.
In our next blog, we will discuss our migration to a hosted MongoDB service.