Date Published: August 2021
Author(s)
Ramaswamy Chandramouli (NIST), Zack Butcher (Tetrate), Aradhna Chetal (TIAA)
Deployment architecture in cloud-native applications now consists of loosely coupled components, called microservices, with all application services provided through a dedicated infrastructure, called a service mesh, independent of the application code. Two critical security requirements in this architecture are to build (1) the concept of zero trust by enabling mutual authentication in communication between any pair of services and (2) a robust access control mechanism based on an access control such as attribute-based access control (ABAC) that can be used to express a wide set of policies and is scalable in terms of user base, objects (resources), and deployment environment. This document provides deployment guidance for building an authentication and authorization framework within the service mesh that meets these requirements. A reference platform for hosting the microservices-based application and a reference platform for the service mesh are included to illustrate the concepts in the recommendations and provide the context in terms of the components used in real-world deployments.
Deployment architecture in cloud-native applications now consists of loosely coupled components, called microservices, with all application services provided through a dedicated infrastructure, called a service mesh, independent of the application code. Two critical security requirements in this...
See full abstract
Deployment architecture in cloud-native applications now consists of loosely coupled components, called microservices, with all application services provided through a dedicated infrastructure, called a service mesh, independent of the application code. Two critical security requirements in this architecture are to build (1) the concept of zero trust by enabling mutual authentication in communication between any pair of services and (2) a robust access control mechanism based on an access control such as attribute-based access control (ABAC) that can be used to express a wide set of policies and is scalable in terms of user base, objects (resources), and deployment environment. This document provides deployment guidance for building an authentication and authorization framework within the service mesh that meets these requirements. A reference platform for hosting the microservices-based application and a reference platform for the service mesh are included to illustrate the concepts in the recommendations and provide the context in terms of the components used in real-world deployments.
Hide full abstract
Keywords
attribute-based access control; authentication policy; authorization policy; CI/CD; DevSecOps; JSON web token; microservices-based application; mutual TLS; next generation access control; policy enforcement point; role-based access control; service mesh; service proxy; zero trust
Control Families
None selected