Access Control in Cloud-Native Applications in Multi-Site Environments (NIST SP 800-207)

NIST released Special Publication (SP) 800-207A – “A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments.”

Enterprise application environments consist of geographically distributed, loosely coupled microservices that span multiple cloud and on-premises environments. Users from different locations access it through different devices. This scenario requires establishing trust in all access entities, data sources, and enterprise IT services through secure communication and validation of access policies.

Enterprise infrastructure layer for uniform policy deployment

Zero Trust Architecture (ZTA) and the principles on which it is built have been accepted as the state of practice for achieving the necessary security guarantees, often enabled by an integrated application services infrastructure, such as a network of services.

ZTA can only be achieved through a comprehensive policy framework that dynamically governs the authentication and authorization of all entities through status assessments (e.g., user, service, and requested resource). This guide recommends:

• Policy formulation at the network level and at the identity level
• Configuring the technology components that will enable the deployment and enforcement of different policies (e.g. gateways, infrastructure for service identities, authentication and authorization modules that enforce the policies)
• A comprehensive monitoring framework that covers various tasks, such as observing resource status and tracking events (e.g. user access requests, changes to corporate directories)
• Using telemetry data to improve security by adjusting access rights and applying strong authentication.