Authors: Sriram Ghanta
Abstract: As enterprise Java platforms increasingly adopt microservices and cloud-native architectures, securing east-west traffic between services has emerged as a critical challenge due to the exponential growth in inter-service communication, dynamic service discovery, and infrastructure elasticity. Traditional perimeter-based security models, which rely on hardened network boundaries, and application-level TLS configurations, which require manual certificate management and tight coupling with business logic, fail to scale in highly distributed environments characterized by ephemeral workloads, frequent deployments, and multi-cloud topologies. Service meshes address this gap by decoupling security concerns from application code and enforcing transport-level guarantees transparently through dedicated data-plane proxies, enabling consistent encryption, authentication, and authorization policies across heterogeneous services. This paper examines secure service mesh models based on mutual Transport Layer Security (mTLS), with a focus on enterprise Java platforms, analyzing architectural patterns implemented by modern service meshes such as Istio, Linkerd, Consul Connect, and Envoy-based meshes. It further explores how workload identity frameworks, including SPIFFE and SPIRE, enable automated identity provisioning, certificate issuance, rotation, and trust propagation at scale, eliminating operational friction and reducing configuration errors. Through architectural analysis and synthesis of prior empirical studies, the paper demonstrates that mTLS-enabled service meshes significantly enhance security posture, operational consistency, and system resilience while allowing Java applications to evolve independently of underlying security mechanisms.
DOI: http://doi.org/10.5281/zenodo.18081138
