多位置环境中云原生应用访问控制的零信任体系架构模型

12NIST

Special

PublicationNIST

SP

800-207A

ipd345A

Zero

Trust

Architecture

Modelfor

Access

Control

in

Cloud-NativeApplications

in

Multi-Location67EnvironmentsInitialPublicDraft891011RamaswamyChandramouliZackButcher1213Thispublicationisavailablefreeofchargefrom:/10.6028/NIST.800-207A.ipd1415NIST

Special

PublicationNIST

SP

800-207A

ipd16A

Zero

Trust

Architecture

Model17

for

Access

Control

in

Cloud-Native1819Applications

in

Multi-LocationEnvironments2021InitialPublicDraft22232425RamaswamyChandramouliComputerSecurityDivisionInformationTechnologyLaboratory2627ZackButcherTetrate,Inc.2829Thispublicationisavailablefreeofchargefrom:/10.6028/NIST.800-207A.ipd30April2023313233U.S.DepartmentofCommerceGinaM.Raimondo,Secretary343536NationalInstitute

ofStandardsand

TechnologyLaurieE.

Locascio,NISTDirectorandUnderSecretaryofCommerceforStandards

andTechnologyNISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication37383940Certaincommercialequipment,instruments,software,or

materials,commercialor

non-commercial,areidentifiedinthispaperinordertospecifytheexperimentalprocedureadequately.Suchidentificationdoesnotimplyrecommendationor

endorsementofany

productorservice

by

NIST,nordoesitimplythat

the

materialsorequipmentidentifiedare

necessarilythebestavailableforthepurpose.414243444546TheremaybereferencesinthispublicationtootherpublicationscurrentlyunderdevelopmentbyNISTinaccordancewithitsassignedstatutoryresponsibilities.Theinformationinthispublication,includingconceptsandmethodologies,maybeusedby

federalagenciesevenbefore

thecompletionofsuch

companionpublications.Thus,untileachpublicationiscompleted,currentrequirements,guidelines,andprocedures,wheretheyexist,remainoperative.For

planningand

transitionpurposes,federalagenciesmaywishtocloselyfollowthedevelopment

ofthesenewpublicationsby

NIST.474849Organizationsareencouragedtoreviewalldraft

publicationsduringpubliccommentperiodsandprovide

feedbacktoNIST.ManyNISTcybersecuritypublications,otherthantheonesnotedabove,are

availableat/publications.50515253545556575859606162AuthorityThispublicationhasbeendevelopedby

NISTinaccordance

withitsstatutoryresponsibilitiesundertheFederalInformationSecurityModernizationAct(FISMA)of2014,44U.S.C.§3551etseq.,PublicLaw(P.L.)113-283.NISTisresponsiblefordevelopinginformationsecuritystandardsandguidelines,includingminimumrequirementsforfederalinformationsystems,butsuchstandardsandguidelinesshallnotapplytonationalsecuritysystemswithouttheexpressapprovalof

appropriatefederalofficialsexercisingpolicyauthorityover

suchsystems.ThisguidelineisconsistentwiththerequirementsoftheOfficeof

ManagementandBudget(OMB)

CircularA-130.Nothinginthispublicationshouldbe

takentocontradictthe

standardsandguidelinesmademandatoryand

bindingonfederalagenciesby

theSecretaryof

Commerceunderstatutoryauthority.Norshouldtheseguidelinesbeinterpretedasalteringorsupersedingtheexistingauthorities

oftheSecretaryofCommerce,Directorof

theOMB,oranyotherfederalofficial.

Thispublicationmaybeusedby

nongovernmentalorganizationsonavoluntarybasisandisnotsubjecttocopyrightin

theUnitedStates.Attributionwould,however,beappreciatedbyNIST.636465NIST

Technical

Series

PoliciesCopyright,Use,and

LicensingStatementsNISTTechnicalSeriesPublicationIdentifierSyntax6667Publication

HistoryApprovedby

theNISTEditorialReviewBoardonYYYY-MM-DD[Willbeupdatedinfinalpublication]68697071How

to

Cite

this

NIST

Technical

Series

Publication:ChandramouliR,

ButcherZ(2023)AZero-TrustArchitectureModelforAccessControlinCloudNativeApplicationsinMulti-LocationEnvironments.(NationalInstituteofStandardsand

Technology,Gaithersburg,MD),NISTSpecialPublication(SP)NISTSP800-207Aipd.

/10.6028/NIST.800-207A.ipd7273Author

ORCID

iDsRamaswamyChandramouli:0000-0002-7387-58587475Public

Comment

PeriodApril18,

2023–June

7,

2023NISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication767778798081Submit

Commentssp800-207A-comments@NationalInstituteofStandardsandTechnologyAttn:ComputerSecurityDivision,InformationTechnology

Laboratory100BureauDrive(MailStop8930)Gaithersburg,MD20899-893082All

comments

are

subject

to

release

under

the

Freedom

of

Information

Act

(FOIA).NISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication8384AbstractOneofthebasictenetsofzerotrustistoremovethe

implicittrustinusers,services,

anddevices85

basedonlyontheirnetworklocation,affiliation,andownership.NISTSpecialPublication800-868788207haslaidoutacomprehensivesetofzerotrust

principlesandreferenced

zerotrustarchitectures(ZTA)forturningthoseconceptsintoreality.AkeyparadigmshiftinZTAsisthechangeinfocusfromsecuritycontrolsbasedonsegmentationandisolationusingnetwork89

parameters(e.g.,

IP

addresses,subnets,perimeter)toidentities.Fromanapplicationsecurity909192pointofview,thisrequiresauthenticationand

authorizationpoliciesbased

onapplicationandserviceidentitiesinadditiontotheunderlyingnetworkparameters

anduseridentities.Thisinturnrequires

aplatformthatconsistsofAPI

gateways,sidecarproxies,and

applicationidentity93

infrastructures(e.g.,SPIFFE)thatcan

enforcethosepoliciesirrespectiveofthelocationofthe9495services/applications,whetheron-premisesoron

multipleclouds.Theobjectiveofthispublicationistoprovideguidanceforrealizingan

architecturethatcanenforcegranular96

application-levelpolicies

whilemeetingtheruntimerequirementsofZTA

formulti-cloudand97hybridenvironments.98Keywords99100egressgateway;identity-tierpolicies;ingressgateway;microservices;multi-cloud;network-tierpolicies;servicemesh;sidecarproxy;SPIFFE;transitgateway;zerotrust;zerotrustarchitecture.101Reports

on

Computer

Systems

Technology102103104105106107108109110111TheInformationTechnologyLaboratory

(ITL)

attheNational

InstituteofStandardsandTechnology(NIST)promotestheU.S.economyandpublicwelfarebyprovidingtechnicalleadershipfortheNation’smeasurementandstandardsinfrastructure.

ITL

developstests,testmethods,referencedata,

proofofconceptimplementations,andtechnicalanalysestoadvancethedevelopmentandproductiveuseofinformationtechnology.

ITL’sresponsibilitiesincludethedevelopmentofmanagement,administrative,technical,andphysicalstandardsandguidelinesforthecost-effectivesecurityandprivacyof

otherthannationalsecurity-relatedinformationinfederalinformationsystems.TheSpecialPublication800-seriesreportson

ITL’sresearch,guidelines,andoutreach

effortsininformationsystemsecurity,anditscollaborativeactivitieswithindustry,government,andacademicorganizations.112iNISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication113Call

for

Patent

Claims114115116117118119Thispublicreviewincludesacallforinformation

onessentialpatentclaims(claimswhoseusewouldberequiredfor

compliancewiththeguidanceorrequirementsinthisInformationTechnologyLaboratory(ITL)draftpublication).Suchguidanceand/orrequirementsmaybedirectlystatedinthisITL

Publicationorbyreferencetoanotherpublication.Thiscallalsoincludesdisclosure,whereknown,oftheexistenceofpendingU.S.orforeignpatentapplicationsrelatingtothisITLdraft

publicationandofanyrelevantunexpiredU.S.orforeignpatents.120ITLmayrequirefromthe

patentholder,or

apartyauthorizedtomakeassurancesonitsbehalf,121

inwrittenorelectronicform,either:122123a)

assuranceintheformofageneraldisclaimertothe

effectthatsuchpartydoesnotholdanddoesnotcurrentlyintendholdinganyessential

patentclaim(s);or124125126b)

assurancethatalicenseto

suchessentialpatentclaim(s)willbemadeavailabletoapplicantsdesiringtoutilizethelicenseforthepurposeofcomplyingwiththeguidanceorrequirementsinthisITLdraftpublicationeither:127128i.underreasonabletermsandconditionsthataredemonstrablyfreeof

anyunfairdiscrimination;or129130ii.withoutcompensationandunderreasonabletermsandconditionsthataredemonstrablyfreeofany

unfairdiscrimination.131132133134135Suchassuranceshallindicatethatthepatentholder(orthirdparty

authorizedtomakeassurancesonitsbehalf)willincludeinanydocumentstransferringownershipofpatentssubjecttotheassurance,provisionssufficienttoensurethatthecommitmentsintheassurancearebindingonthetransferee,

andthatthe

transfereewillsimilarlyincludeappropriateprovisionsintheeventoffuturetransferswiththegoalofbindingeachsuccessor-in-interest.136137Theassuranceshallalsoindicatethatitisintendedtobebindingonsuccessors-in-interestregardlessofwhethersuchprovisionsareincluded

intherelevanttransferdocuments.138139Suchstatementsshouldbeaddressedto:sp800-207A-comments@iiNISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication140Table

of

Contents141142143144145146147148149150151152153Executive

Summary.................................................................................................................

1Introduction

......................................................................................................................

2Background–ZeroTrustPrinciplesandZeroTrust

Architecture................................

2Relationshipto

Other

NIST

GuidanceDocuments......................................................

3Scope.........................................................................................................................

3TargetAudience

.........................................................................................................

4OrganizationofThis

Document

..................................................................................

4The

Enterprise

Cloud-Native

Platform

and

its

Components

.........................................5EnterpriseInfrastructureLayer

...................................................................................

6Designing

a

Policy

Framework

for

ZTA

for

Cloud-Native

Application

Environments.

7FunctionalComponentsofIdentity-BasedSegmentationPolicies

for

ZTA..................

8Shortcomingsof

Identity-BasedSegmentationPolicies

forEnterpriseZTA

................

9Multi-TierPolicies

forEnterpriseZTA

.........................................................................

9154155Implementing

Multi-Tier

Policies

for

ZTA

for

Cloud-Native

Application

Environments11156157158159160161162163164165166ReferenceApplicationInfrastructureScenario...........................................................11RoleoftheServiceMeshin

Policy

Deployment,

Enforcement,

andUpdates.............12Policy

DeploymentforReferenceApplicationInfrastructure.......................................13Another

ApplicationInfrastructureScenario...............................................................14FunctionalRoles

ofApplicationInfrastructureElementsin

EnforcingPolicies...........15Comparisonof

Identity-Tier

andNetwork-Tier

Policies

..............................................164.6.1.

ApproachesforDeployment

andtheLimitationsof

Network-TierPolicies

...............164.6.2.

PrerequisitesfortheDeploymentofIdentity-Tier

Policies........................................174.6.3.

Advantagesof

Identity-Tier

Policies.........................................................................18Summary

and

Conclusions

............................................................................................19References..............................................................................................................................20167List

of

Figures168169170171172173Fig.

1.

Enterpriseinfrastructurelayerfor

uniformpolicy

deployment..........................................

7Fig.

2.

Flexibility

providedbymulti-tier

policies

.........................................................................10Fig.

3.

Multi-tierPolicies

foraHybridApplicationEnvironment

.................................................12Fig.

4.

AnIstioAuthorizationPolicy

that

allows

Service1to

Service2onport443but

onlyallows

it

to

execute

theGETHTTPverbon

the“/public”

path........................................14Fig.

5.

Policy

DeploymentforaThree-tier

Application...............................................................15174iiiNISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication175Acknowledgments176177TheauthorwouldliketoexpresshisthankstoIsabelVanWykof

NISTfor

herdetailed

editorialreviewofthe

publiccommentversionaswellasthe

finalpublication.ivNISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication178Executive

Summary179

Theprinciplesofzerotrust,asdescribedinNIST

SpecialPublication(SP)800-207,have180

becometheguidingmarkersfordevelopingsecurezerotrustarchitecture.Awell-established181

classofapplicationsarecloud-nativeapplications.Thegenerallyaccepted

characterizationofa182cloudnativeapplicationincludesthefollowing:183184185186187•

Theapplicationismadeupofasetoflooselycoupledcomponentscalled

microservices.Eachofthemicroservicescanbehostedondifferentphysicalorvirtualmachines(VMs)andevenbe

geographicallydistributed(e.g.,withinseveralfacilitiesthatbelongtotheenterprise,suchastheheadquarters,branchoffices,andinvariouscloudserviceproviderenvironments).188189•

Anytransactioninvolvingtheapplicationmayalsoinvolveoneormoreinter-service(microservice)callsacrossthenetwork.190191192193•

Awidespreadfeature(thoughnotnecessarilyarequirementforcloud-nativeapplication)isthepresenceofasoftwareplatformcalledtheservicemeshthatprovides

anintegratedsetofallapplicationservices(e.g.,servicesdiscovery,networking

connections,communicationresilience,andsecurityserviceslikeauthenticationand

authorization).194195196Therealizationofazero

trustarchitecturefortheaboveclassofcloud-nativeapplicationsrequiresarobustpolicyframework.

Inordertofollowzerotrustprinciples,

theconstituentpolicesintheframework

shouldconsiderthefollowingscenario:197198199200201•

Thereshouldnotbeimplicittrustinusers,services,ordevicesbasedexclusivelyontheirnetworklocation,affiliation,orownership.Hence,

policydefinitionsandassociatedsecuritycontrolsbasedon

thesegmentationorisolationofnetworksusingnetworkparameters(e.g.,

IP

addresses,subnets,perimeter)areinsufficient.Thesepoliciesfallundertheclassificationof

network-tierpolicies.202203204205•

Toensurethepresenceof

zerotrustprinciplesthroughouttheentireapplication,network-tierpoliciesmustbeaugmentedwithpoliciesthatestablishtrustintheidentityofthevariousparticipatingentities(e.g.,users

andservices)irrespectiveof

thelocationoftheservicesorapplications,

whetheron-premisesoron

multipleclouds.206Thisdocumentprovides

guidanceforrealizingazerotrustarchitecturethatcanenforcegranular207

application-levelpolicies

forcloud-nativeapplications.Theguidanceisanchoredinthe208following:209•

Acombinationofnetwork-tierandidentity-tierpolicies210211212213214•

Thecomponentsofcloud-nativeapplicationsthat

enablethedefinitionanddeploymentofthosepolicies,suchas

edge,ingress,sidecar,

andegressgateways;thecreation,issuance,andmaintenanceofserviceidentities;theissuanceofauthenticationandauthorizationtokensthat

carryuseridentitiesintheenterpriseapplicationinfrastructurethatencompassesmulti-cloudandhybridenvironments2151NISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication216Introduction217218219Zerotrust(ZT)tenetsorprincipleshavebeenacceptedastheguidemarkersforarchitectingallapplications.There

are

severalreasonswhyadherencetothesetenetsiscriticalforobtainingnecessarysecurityassurances,especiallyfor

cloud-nativeapplications.Theenterprise220

applicationenvironments

forthisclassofapplicationsishighlygeographicallydistributedand221222223224225spanmultiplecloudandon-premisesenvironments(e.g.,headquarters,enterprise-operateddatacenters,branchoffices,

etc.).Further,theuserbaseconsistsofbothremoteandon-premisesemployees.Thesetwo

featurescallforestablishingtrustinallofthedatasourcesand

computingservicesofthe

enterprise–irrespectiveof

theirlocation–throughsecure

communicationandthevalidationofaccesspolicies.226227Apartfromgeographicdistribution,anothercommonfeatureofcloud-nativeapplicationsisthepresenceofmanymicroservicesthat

areloosely

coupledandcollectivelysupportbusiness228

processesthrough

extensiveinter-servicecalls.Thisisaugmentedwithanintegrated229230231infrastructureforprovidingallapplicationservicescalledtheservicemesh.

Thesefeaturesemphasizetheconceptofidentityforthevariouscomponentsoftheapplicationintheformofmicroservices

aswellasthe

userswho

accessthemthroughdirectcallsorclients(other232

services).Thisinturnhighlightsthecriticalneed

forauthenticatingtheseidentitiesandfor233

providinglegitimateaccessonaper-sessionbasisthroughadynamicpolicythattakesthecurrent234

statusoftheuser,service,andrequestedassetinto

account.235236237Theaboverequirementscanonlybemetthrough

acomprehensivepolicyframework.Thisdocumentprovidesguidancefordevelopingapolicyframeworkthatwillformthefoundationforrealizingazerotrustarchitecture(ZTA)whileincorporatingzerotrustprinciplesintoitsdesign238

forcloud-nativeapplications.Thepolicyframeworkshouldalsoconsistofacomprehensiveset239240ofpoliciesthatspanallcriticalentitiesandresourcesintheapplicationstack,includingthenetwork,networkdevices,users,andservices.241242Background

–

Zero

Trust

Principles

and

Zero

Trust

ArchitectureAsummaryofthezerotrustprinciplesandthedefinitionofazerotrustarchitecture,asdescribed243

inNISTSP800-207[1],

are:244245246247248249250251252•

Zerotrustisthetermfor

anevolvingsetofcybersecurityparadigmsthatmovedefensesfromstatic,network-basedperimeterstofocusonusers,assets,and

resources.

It

isasetofsecurityprimitivesratherthanaparticularsetof

technologies.Zerotrustassumesthatthereisnoimplicittrustgrantedtoassetsoruseraccountsbasedsolelyontheirphysicalornetworklocation(i.e.,

localareanetworksversustheinternet)oron

asset

ownership(e.g.,enterpriseorpersonallyowned).Zerotrustfocusesonprotectingresources(e.g.,assets,services,

workflows,networkaccounts)ratherthannetworksegments,asthenetworklocationisnolongerseen

astheprimecomponenttothesecuritypostureoftheresource.253254•

Azerotrustarchitectureuseszerotrustprinciplestoplanindustrialandenterpriseinfrastructuresandworkflows.2NISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication255256257NIST’sguidanceon

zero

trustalsocontainsanabstractdefinitionofzerotrustarchitectureandgivesgeneraldeploymentmodelsandusecases

withwhichzerotrustcould

improveanenterprise’soverallinformationtechnologysecurityposture.258Relationship

to

Other

NIST

Guidance

Documents259260261262263264265266267SincethecurrentdocumentprovidesguidancefortherealizationofZTAforcloud-nativeapplicationshostedinmultiplelocations(on-premisesandmultipleclouds)andtheenforcementofZTprinciplesrequires

policiesthatareassociatedwithvarioussecurityservices,itwillbeusefultorefertothefollowingdocuments.Thesedocumentsprovidebackgroundinformationforthearchitectureofamicroservices-basedapplicationwithservicemeshas

wellasguidanceforconfiguringspecificsecurityservices.Thecurrent

documentexpandsthereferenceenvironmenttoonewheretheIT

applicationinfrastructureofanenterprisespansmultiplepremisesandmultiplecloudproviderlocationsaswellasaddressestherangeof

policies

thatarerequired

forcomprehensivesecurityassurance.268269270271272•

NISTSP800-204A,BuildingSecureMicroservices-basedApplicationsUsingService-MeshArchitecture[2],providesdeploymentguidanceforvarioussecurityservices(e.g.,establishmentofsecuresessions,securitymonitoring,etc.)for

amicroservices-basedapplicationusingadedicatedinfrastructure(i.e.,aservicemesh)basedonserviceproxiesthatoperateindependently

oftheapplicationcode.273274275276277278279280•

NISTSP800-204B[3],Attribute-basedAccessControlforMicroservices-basedApplicationsUsingaServiceMesh,providesdeploymentguidanceforbuildinganauthenticationandauthorizationframeworkwithintheservicemeshthatmeetsthesecurityrequirements.Thismayincludeestablishing(1)zerotrustbyenablingmutualauthenticationincommunicationbetween

anypairofservicesand(2)arobustaccesscontrolmechanismbased

onanaccesscontrolmodel(e.g.,theattribute-basedaccesscontrol[ABAC]model)thatcanbeusedtoexpressawidesetofpolicies

andisscalableintermsofuserbase,objects(resources),anddeploymentenvironment.281282ScopeThescopeofthisdocumentincludes:283284•

Identifyingtherequirementsforrealizing

aZTAforgranular

accesscontrolinmicroservices-based

applicationplatformsthatincludeaservicemeshinfrastructure285286•

Identifyingtheinfrastructuralelementsthatshouldbepartoftheplatform

inordertoconfigureandimplementZTprinciples287288•

GuidancefordeployingaZTAintheaboveplatformandoutliningthesecurityassurancesthatthedeploymentcanprovide3NISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication289Target

Audience290291292Thisguidanceisintendedforsecurityarchitectsandinfrastructuredesignersinorganizationswithahybrid

IT

environment(consistingofbothon-premisesandmultiplecloud-basedapplications)withacombinationoflegacyandmicroservices-based(i.e.,

cloud-native)293

applicationswithabuilt-inapplicationservicesinfrastructure,such

asaservicemesh.294295Organization

of

This

DocumentTheorganizationofthisdocumentisasfollows:296297298299•

Section2describesamodernenterprisecloud-nativeapplicationplatformthatincludesadedicatedinfrastructureforprovidingallapplicationservicesas

wellasamanagementplanewhentheapplicationspansbothon-premisesandmultiplecloudserviceproviderlocations.300301302303•

Section3introducesthebasicconceptsofapolicyframeworkforZTAfor

theplatformdescribedintheprevious

sectionintermsofdriversanddesignrequirements.It

alsoprovidesananalysisofidentity-basedpoliciesand

introducestheconceptofmulti-tierpolicies.304305306307308•

Section4describestheimplementationapproach

fordeployingmulti-tierpoliciesfortwoenterpriseapplicationinfrastructurescenariosby

outliningtherolesoftheservicemesh,thefunctionalcomponentsinvolved,andtheadvantagesofidentity-tierpolicies,whichprovideservice-levelsegmentationandplayacriticalroleinthesecurityassuranceof

anapplicationecosystemtoconformtozerotrustprinciplesortenets.309310311•

Section5providesasummaryandconclusion.4NISTSP800-207Aipd(InitialPublicDraft)April2023ZTAModelforAccessControlinCloud-NativeApplication312The

Enterprise

Cloud-Native

Platform

and

its

Components313314315Anenterprisecloud-nativeplatformisincreasinglymadeupofmicroservicesthatareimplementedascontainersandhostedonacontainerorchestrationplatform.In

addition,ithasadedicatedinfrastructurelayercalledaservicemesh,whichprovidesacomprehensivesetof316

applicationservices(e.g.,

networkconnectivity,networkresilience,observability,andsecurity).317Theapplicationservices

providedbyaservicemeshareenabledbythefollowing:318319320•

Abuilt-ininfrastructurefor(a)providingserviceidentities,(b)servicediscovery,and(c)externalpolicy-basedauthorizationenginesbased

onNextGenerationAccessControl(NGAC),Attribute-based

AccessControl(ABAC),andOpenPolicyAgent

(OPA)321322323•

Codeforperformingnetwork-relatedfunctions(e.g.,trafficrouting)andforensuringnetworkresiliencythroughfunctionssuchasretries,timeouts,blue-green

deployments,andcircuitbreaking324325•

Codeforensuring

applicationintegrityandconfidentialitythroughservice-to-serviceanduser-to-resourceauthenticationsandauthorizations326327328Mored