Email this Article Email   

CHIPS Articles: Building Secure Microservices-Based Applications Using Service-Mesh Architecture

Building Secure Microservices-Based Applications Using Service-Mesh Architecture
NIST Releases Draft SP 800-204A for Comment
By CHIPS Magazine - January 21, 2020
Microservices-based applications are increasingly found within large enterprises and cloud-based environments due to their ability to scale. Microservices can be defined as a software development technique — a variant of a service-oriented architecture (SOA) structural style that arranges an application as a collection of loosely coupled services.

Within this architecture there is a need for a dedicated, scalable-supporting infrastructure that will allow for provisioning a comprehensive set of security services. “Called Service Mesh, these security services include — but are not limited to — authentication, authorization, secure service discovery, secure communication, and security monitoring. The deployment of Service Mesh components to enable these services involves multiple configurations,” the National Institute of Standards and Technology explained in a release.

The increasing trend in building microservices-based applications signals a need to address security in all aspects of service-to-service interactions due to its unique characteristics. “The distributed cross-domain nature of microservices requires secure token service (STS), key management and encryption services for authentication and authorization, as well as secure communication protocols,” NIST advised.

Further, NIST explained the ephemeral nature of clustered containers, by which microservices are implemented, calls for secure service discovery.

The availability requirement calls for:

  1. resiliency techniques such as load balancing, circuit breaking and throttling; and
  2. continuous monitoring (for the health of the service).

The service mesh is the only approach that can facilitate specification of these requirements at a level of abstraction that can be uniformly, consistently defined, and at the same time, effectively implemented without making changes to individual microservice code, NIST advised. Draft SP 800-204A provides deployment guidance for proxy-based service mesh components that collectively form a robust security infrastructure for supporting microservices-based applications.

NIST requests comments for its Draft Special Publication (SP) 800-204A, Building Secure Microservices-based Applications Using Service-Mesh Architecture. Its purpose is to provide deployment recommendations for service mesh components that span several runtime aspects of microservices-based applications to meet the security requirements for this class of application for various scenarios.

The public comment period ends Feb. 14, 2020. Please email comments to sp800-204A-comments@nist.gov

Download Draft Special Publication (SP) 800-204A, Building Secure Microservices-based Applications Using Service-Mesh Architecture

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer