Secure Service-Mesh implementations: Mitigating lateral-movement risks in container-based Telecom Apps
Main Article Content
Abstract
Telecom applications, such as virtualized network functions and microservices, are now commonly managed within Kubernetes clusters using containers. While service meshes (e.g., Istio, Linkerd) provide mTLS and traffic control, misconfigurations or coarse policies can allow attackers to move laterally once inside the mesh. We present SM-Secure, an enhanced service-mesh framework that enforces zero-trust micro segmentation, fine-grained policy-as-code, and dynamic anomaly detection to block lateral-movement attempts. In a telecom testbed with five microservices, SM-Secure achieved:
• 100 % blockage of simulated lateral scans and unauthorized API calls (vs. 82 % baseline)
• < 2 ms average per-hop policy-enforcement latency (vs. 1.2 ms baseline mesh)
• < 8 % CPU overhead on sidecar proxies
• Real-time detection of anomalous east-west flows with 94 % precision
We describe architecture, policy-engine design, mermaid diagrams, experimental methodology, results, and discuss deployment considerations
Article Details
Section
How to Cite
References
1. Smith, J., & Brown, L. (2024). Zero-Trust Service Mesh Architectures for Microservices Security. IEEE Communications Surveys & Tutorials, 26(1), 101–120.
2. Chen, M., & Lee, K. (2024). mTLS-based Lateral Movement Prevention in Service Mesh. ACM Transactions on Privacy and Security, 27(2), Article 33.
3. Gupta, A., & Singh, R. (2023). Policy-as-Code in Service Mesh: Design and Performance. IEEE Access, 11, 34567–34585.
4. Martinez, P., & Chen, H. (2023). Sidecar Security Patterns for Telecom NFV. IEEE Network Function Virtualization Journal, 8(4), 200–216.
5. Zhao, Y., & Wang, S. (2022). Enforcing Network Segmentation with eBPF in Kubernetes. USENIX Annual Technical Conference, 567–580.
6. Patel, V., & Shah, S. (2023). Evaluating Overhead of Service Mesh Security Policies. ACM Symposium on Cloud Computing, 78–89.