U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

SP 800-207A (Draft)

A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments

Date Published: April 18, 2023
Comments Due: June 7, 2023
Email Comments to: sp800-207a-comments@nist.gov

Author(s)

Ramaswamy Chandramouli (NIST), Zack Butcher (Tetrate)

Announcement

Enterprise application environments consist of geographically distributed and loosely coupled microservices that span multiple cloud and on-premises environments. They are accessed by a userbase from different locations through different devices. This scenario calls for establishing trust in all enterprise access entities, data sources, and computing services through secure communication and the validation of access policies.

Zero trust architecture (ZTA) and the principles on which it is built have been accepted as the state of practice for obtaining necessary security assurances, often enabled by an integrated application service infrastructure, such as a service mesh. ZTA can only be realized through a comprehensive policy framework that dynamically governs the authentication and authorization of all entities through status assessments (e.g., user, service, and requested resource. This guidance recommends:

  • The formulation of network-tier and identity-tier policies and
  • The configuration of technology components that will enable the deployment and enforcement of different policies (e.g., gateways, infrastructure for service identities, authentication, and authorization tokens with the help of a central coordination infrastructure).

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

 

Abstract

Keywords

egress gateway; identity-tier policies; ingress gateway; microservices; multi-cloud; network-tier policies; service mesh; sidecar proxy; SPIFFE; transit gateway; zero trust; zero trust architecture
Control Families

None selected

Documentation

Publication:
SP 800-207A (Draft) (DOI)
Local Download

Supplemental Material:
None available

Document History:
04/18/23: SP 800-207A (Draft)

Topics

Security and Privacy
access control; zero trust

Technologies
cloud & virtualization