U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

This is an archive
(replace .gov by .rip)

Attribute-based Access Control for Microservices-based Applications Using a Service Mesh: NIST SP 800-204B
August 06, 2021

Cloud-native applications now consist of loosely coupled components (microservices), with all application services (e.g., authentication, authorization, load balancing, etc.) provided through a dedicated infrastructure (service mesh) independent of the application code. The requirements of the authorization service in this environment are: (a) to build the concept of zero trust by enabling all authorizations for every interaction to be based on the identity of the user, service, or device irrespective of the location or nature of the requesting service and (b) a robust access control mechanism based on an expressive access control model such as Attribute-based Access Control (ABAC) that can be used to express a wide set of policies and is scalable in terms of the user base, objects (resources), and deployment environment.

NIST announces the publication of NIST Special Publication (SP) 800-204B, Attribute-based Access Control for Microservices-based Applications using a Service MeshIts purpose is to provide guidance for building an ABAC-based deployment within the service mesh that meets the requirements stated above. The security assurance provided by the deployment, the supporting infrastructure needed, and the advantages of the Next Generation Access Control (NGAC), the ABAC model representation developed at NIST that is used in the deployment are also discussed.

Related Topics

Security and Privacy: access authorization, access control, authentication, zero trust

Technologies: cloud & virtualization

Created August 06, 2021