Microservices-based applications are increasingly found within large enterprises and cloud-based environments due to their ability to scale. Microservices can be defined as a software development technique — a variant of a service-oriented architecture (SOA) structural style that arranges an application as a collection of loosely coupled services.
Within this architecture there is a need for a dedicated, scalable-supporting infrastructure that will allow for provisioning a comprehensive set of security services. “Called Service Mesh, these security services include — but are not limited to — authentication, authorization, secure service discovery, secure communication, and security monitoring. The deployment of Service Mesh components to enable these services involves multiple configurations,” the National Institute of Standards and Technology explained in a release.
The increasing trend in building microservices-based applications signals a need to address security in all aspects of service-to-service interactions due to its unique characteristics. “The distributed cross-domain nature of microservices requires secure token service (STS), key management and encryption services for authentication and authorization, as well as secure communication protocols,” NIST advised.
Further, NIST explained the ephemeral nature of clustered containers, by which microservices are implemented, calls for secure service discovery.
The availability requirement calls for:
- resiliency techniques such as load balancing, circuit breaking and throttling; and
- continuous monitoring (for the health of the service).
The service mesh is the only approach that can facilitate specification of these requirements at a level of abstraction that can be uniformly, consistently defined, and at the same time, effectively implemented without making changes to individual microservice code, NIST advised. Draft SP 800-204A provides deployment guidance for proxy-based service mesh components that collectively form a robust security infrastructure for supporting microservices-based applications.
NIST requests comments for its Draft Special Publication (SP) 800-204A, Building Secure Microservices-based Applications Using Service-Mesh Architecture. Its purpose is to provide deployment recommendations for service mesh components that span several runtime aspects of microservices-based applications to meet the security requirements for this class of application for various scenarios.
The public comment period ends Feb. 14, 2020. Please email comments to sp800-204A-comments@nist.gov
Download Draft Special Publication (SP) 800-204A, Building Secure Microservices-based Applications Using Service-Mesh Architecture