CNCF and Tetrate Branch Out to Offer Istio Certification

If you think about the interconnections among them, the cloud-native ecosystem of projects can resemble natural systems. Established CNCF projects such as Kubernetes, Envoy, gRPC, Prometheus and SPIFFE comprise a strong root system of modern cloud-native projects. Service mesh technology, by extension, acts as a sort of mycorrhizal network to this root system—securing, connecting and monitoring these various complex microservices.

It is in this metaphorical context that we view the September 2022 addition of Istio, the open source service mesh, to the vital group of open source projects under the CNCF canopy.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

Istio was created in 2016, and just two years later reached its 1.0 release, becoming one of GitHub’s fastest-growing open source projects by 2019. When the U.S. government mandated zero-trust architectures for federal infrastructure in May 2021, a new spotlight was shone on service mesh technology—and on Istio in particular. Zero-trust elevates security to recognize the need for dynamic, identity-based controls with no clear perimeter. Zero-trust networking and policy enforcement, along with traffic management, load balancing and monitoring, are all components of Istio.

In fact, the creators of open source Istio (who went on to found Tetrate to bring service mesh to the enterprise) worked alongside the National Institute of Standards and Technology (NIST) to collaboratively produce U.S. security standards for a distributed architecture. The relevant Special Papers co-authored by Tetrate and NIST regarding zero-trust and Istio include:

• (SP 800-204A) Building Secure Microservices-based Applications Using Service-Mesh Architecture
• (SP 800-204B) Attribute-based Access Control for Microservices-based Applications using a Service Mesh
• (SP 800-204C) Implementation of DevSecOps for a Microservices-based Application with Service Mesh
• (SP 800-207A) A Zero Trust Architecture (ZTA) Model for Access Control in Cloud-Native Applications in Multi-Location Environments

Istio Graduates and Certification Becomes Available

Istio’s maturation and adoption was bolstered by a strong CNCF community, ushering it through to its recent graduation. With nearly 200 companies having committed code to Istio and the popularity of the project booming, training and certification have quickly become a requirement.

Responding to the high demand for the project and the call for deeper understanding of service mesh technology, Tetrate designed an “Introduction to Istio” course. This course was an evolution of Tetrate Academy, a program that provided training to 13,000 people on deploying and running distributed applications in a service mesh environment through educational materials and workshops. This eventually became the Istio certification program. In October 2022, Tetrate contributed the course to the CNCF and the Linux Foundation edX, making it available to the entire Istio community. Thus, Introduction to Istio (LFS144x) became the first official CNCF Istio course through the Linux Foundation, offering IT professionals the opportunity to become an Istio Certified Associate (ICA) with an industry-standard certification exam. So far, over 2,500 students have enrolled in the course.

Service mesh requires specialized knowledge to deploy and operate in production. Developers, service mesh operators and security engineers can take the Introduction to Istio course to build knowledge on how to optimize Istio to enable zero-trust networking, policy enforcement, traffic management, load balancing and monitoring without requiring applications to be rewritten.

An ICA certification is appropriate for IT professionals working in complex, distributed environments, sets candidates apart for current and future employers and is a natural progression after receiving Kubernetes certification. Being able to prove competency in installing, upgrading, configuring and deploying applications in Istio is extremely valuable at a time when these skills are in high demand. With increasing zero-trust initiatives, this advanced training and certification in defining ingress, egress, authentication and authorization policies is a feather in a security professional’s cap, signaling to the industry that they are placing modern application networking at the center of their competency portfolio.

Tetrate remains a top contributor to the Istio and Envoy gateway projects. The company is presenting at KubeCon + CloudNativeCon North America in Chicago, where it will showcase the latest iterations of its products, Tetrate Istio Subscription (TIS), Tetrate Service Express and Tetrate Service Bridge (TSB), at booth L12. Tetrate also will be showcasing the latest addition to its product lineup, Tetrate Enterprise Envoy Gateway (TEG), which is a 100% upstream Envoy Gateway distribution with additional tooling and support for improved user experience.

The CNCF ecosystem is often viewed as complex, but when you look at it through the metaphorical lens of a mycorrhizal network, suddenly, the nuance and depth become factors of strength. It is against this backdrop that we see the maturity of Istio taking root, and the ICA training is a big part of the project’s success within that network of projects.

To hear more about cloud-native topics, join the Cloud Native Computing Foundation and the cloud-native community at KubeCon+CloudNativeCon North America 2023 – November 6-9, 2023.