Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-204B (Initial Public Draft)

Attribute-based Access Control for Microservices-based Applications using a Service Mesh

Date Published: January 2021
Comments Due: February 24, 2021 (public comment period is CLOSED)
Email Questions to: sp800-204b-comments@nist.gov

Author(s)

Ramaswamy Chandramouli (NIST), Zack Butcher (Tetrate), Aradhna Chetal (TIAA)

Announcement

Deployment architecture in cloud-native applications now consists of loosely coupled components (microservices), with all application services provided through a dedicated infrastructure (service mesh) independent of the application code. Two critical security requirements in this architecture are (a) to build the concept of zero trust by enabling mutual authentication in communication between any pair of services and (b) a robust access control mechanism based on an access control model such as Attribute-based Access Control (ABAC) that can be used to express a wide set of policies and is scalable in terms of user base, objects (resources), and deployment environment.

The purpose of this document, Draft SP 800-204B, is to provide guidance for building an ABAC-based deployment within the service mesh that meets the requirements stated above. The security assurance provided by the deployment, the supporting infrastructure needed and the advantages of the Next Generation Access Control (NGAC), the ABAC model representation developed at NIST that is used in the deployment are also discussed.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Abstract

Keywords

attribute-based access control; authentication policy; authorization policy; CI/CD; DevSecOps; JSON web token; microservices-based application; mutual TLS; next generation access control; policy enforcement point; role-based access control; service mesh; service proxy; zero trust
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-204B-draft
Download URL

Supplemental Material:
None available

Document History:
01/26/21: SP 800-204B (Draft)
08/06/21: SP 800-204B (Final)