Access control is fundamental to application security. Modern applications, more than ever, need a flexible access control mechanism that can succinctly express access rules, take into account a large number of objects and dynamic runtime attributes, and be evaluated efficiently at runtime. These rules must also be both intelligible and auditable so the current state of access policy enforcement is knowable and can be easily understood.
The most common access control flavors in use today are role-based access control (RBAC) and attribute-based access control (ABAC). RBAC is simple: it maps users to roles, and offers rules to permit or deny access to resources based on those roles. But RBAC can be inflexible in practice, often leading to “role explosion” when used to model complex relationships between actors and resources.
ABAC offers more flexibility, but it can lead to incomprehensible, opaque rule sets where it’s hard to tell if the actual policy implementation matches policy intent. This complexity can also lead to performance degradation as the number of resources and attributes increases.
NIST’s next-generation access control (NGAC) offers an ABAC implementation meant to be flexible enough to comprehensively model the objects and attributes of an entire enterprise while being easy to understand. At the same time,NGAC uses a linear time algorithm to render access verdicts.
NIST’s SP 800-204B, co-authored by Tetrate’s own Zack Butcher, sets out standards for implementing access control for microservices applications. In January 2021, Zack was joined by fellow co-author and NIST Senior Computer Scientist Ramaswami Chandramouli to give a talk exploring the new standard and how a service mesh can be used as the new security kernel for microservices applications. In this article, we’ll provide a brief overview of their discussion, with a link to a full recording you can watch for all the details.
Service mesh as the new security kernel
NIST calls out service mesh as the recommended mechanism to secure microservices, offering Istio as the reference service mesh implementation. As a dedicated infrastructure layer, the mesh forms a new security kernel. The Envoy data plane that mediates service-to-service communication as well as ingress and egress acts as a non-bypassable policy enforcement point (PEP) in front of each service and gateway. The kernel code is independent of the application so it’s lifecycle can be managed independently and it can’t be modified at runtime. And, while this makes the mesh a prime attack target, as a security kernel, it can be a tightly controlled element of the system that we can harden with more eyes and closer inspection.
Continuous monitoring for continuous proof of policy enforcement
The mesh also offers continuous monitoring of policy enforcement to offer proof to an auditor and continuous proof to ourselves that the system is secure. The mesh provides hooks for shadow ops to issue requests against the live system and assert policy is being enforced; metrics and logs can prove to auditors that verdicts were sought and applied.
Additional supporting infrastructure
The mesh also provides additional supporting infrastructure to facilitate security best practices across a variety of environments out of the box––infrastructure we’d need to stand up independently in each environment without a common infrastructure layer. This additional infrastructure includes a certificate authority (CA) module, a secure identity registry, and support for calling out to external authorization servers at runtime.
ABAC is the best fit for microservices; NGAC is the best ABAC
Attribute-based access control (ABAC) offers the flexibility to author policy on a large number of objects and attributes which makes it a good fit for dynamic application deployments where RBAC tends to suffer from role explosion. NIST’s next-generation access control (NGAC) is an ABAC mechanism that provides a nice balance between flexibility, ease of policy authorship, ease of understanding, and fast implementation. In NGAC, access control data is represented as a graph that can model your enterprise. Access decision uses a linear time algorithm (in terms of dimensions of the problem) which makes NGAC a performance efficient representation of ABAC.
Watch the presentation
For more detail and a deep dive into NIST’s security recommendations for microservices applications, watch the full presentation available on-demand at NIST ›