Email this Article Email   

CHIPS Articles: Attribute-based Access Control for Microservices-based Applications using a Service Mesh

Attribute-based Access Control for Microservices-based Applications using a Service Mesh
NIST SP 800-204B (Draft) available for comment
By CHIPS Magazine - January 29, 2021
Deployment architecture in cloud-native applications now consists of loosely coupled components (microservices), with all application services provided through a dedicated infrastructure (service mesh) independent of the application code. Two critical security requirements in this architecture are: (a) to build the concept of zero trust by enabling mutual authentication in communication between any pair of services; and (b) a robust access control mechanism based on an access control model such as Attribute-based Access Control (ABAC) that can be used to express a wide set of policies and is scalable in terms of user base, objects (resources), and deployment environment, according to a National Institute of Standards and Technology release.

Draft Special Publication (SP) 800-204B provides deployment guidance for building an authentication and authorization framework within the service mesh that meets these requirements. A reference platform for hosting the microservices-based application and a reference platform for the service mesh are included to illustrate the concepts in the recommendations and provide the context in terms of the components used in real-world deployments.

The security assurance provided by the deployment, the supporting infrastructure needed and the advantages of the Next Generation Access Control (NGAC), the ABAC model representation developed at NIST that is used in the deployment are also discussed.

Publication:
SP 800-204B (Draft) (DOI)
NIST Download

Comments Due: Feb. 24, 2021
Email Comments to: sp800-204b-comments@nist.gov

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer