Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8505 (Initial Public Draft)

A Data Protection Approach for Cloud-Native Applications

Date Published: June 14, 2024
Comments Due: August 1, 2024 (public comment period is CLOSED)
Email Questions to: nistir-8505-comments@nist.gov

Author(s)

Ramaswamy Chandramouli (NIST), Wesley Hales (Leak Signal)

Announcement

Cloud-native applications, which are generally based on microservices-based application architecture, involve the governance of thousands of services with as many inter-service calls. In this environment, ensuring data security involves more than simply specifying and granting authorization during service requests. It also requires a comprehensive strategy to categorize and analyze data access and leakage as data travels across various protocols (e.g., gRPC, REST-based), especially within ephemeral and scalable microservices implemented as containers.

Hence, in addition to techniques for protecting data at rest (e.g., regular expressions), it has become essential to develop in-transit data categorization that performs real-time data analysis to actively monitor and secure data as it moves across services and network protocols. This IR outlines a practical framework for effective data protection using the capabilities of WebAssembly (WASM) — a platform-agnostic, in-proxy approach with compute and traffic processing capabilities (in-line, network traffic analysis at layers 4–7) that can be built and deployed to execute at native speed in a sandboxed and fault-tolerant manner.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy Inclusion of Patents in ITL Publications.

Abstract

Keywords

data governance; data privacy; data protection; data security; in-transit data categorization; WASM
Control Families

None selected

Documentation

Publication:
https://doi.org/10.6028/NIST.IR.8505.ipd
Download URL

Supplemental Material:
None available

Document History:
06/14/24: IR 8505 (Draft)
09/30/24: IR 8505 (Final)

Topics

Security and Privacy

general security & privacy, privacy

Technologies

cloud & virtualization