Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments

Published

Author(s)

Ramaswamy Chandramouli, Zack Butcher

Abstract

One of the basic tenets of zero trust is to remove the implicit trust in users, services, and devices based only on their network location, affiliation, and ownership. NIST Special Publication 800-207 has laid out a comprehensive set of zero trust principles and referenced zero trust architectures (ZTA) for turning those concepts into reality. A key paradigm shift in ZTAs is the change in focus from security controls based on segmentation and isolation using network parameters (e.g., IP addresses, subnets, perimeter) to identities. From an application security point of view, this requires authentication and authorization policies based on application and service identities in addition to the underlying network parameters and user identities. This in turn requires a platform that consists of API gateways, sidecar proxies, and application identity infrastructures (e.g., Secure Production Identity Framework for Everyone [SPIFFE]) that can enforce those policies irrespective of the location of the services or applications, whether on-premises or on multiple clouds. The objective of this publication is to provide guidance for realizing an architecture that can enforce granular application-level policies while meeting the runtime requirements of ZTA for multi-cloud and hybrid environments.
Citation
Special Publication (NIST SP) - 800-207A
Report Number
800-207A

Keywords

egress gateway, identity-tier policies, ingress gateway, microservices, multi-cloud, network-tier policies, service mesh, sidecar proxy, SPIFFE, transit gateway, zero trust, zero trust architecture.

Citation

Chandramouli, R. and Butcher, Z. (2023), A Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Location Environments, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-207A, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=956524 (Accessed May 26, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created September 13, 2023