1 / 6

ISTIO Security Requirements and Best Practices

This document outlines ISTIO's security requirements regarding authentication, authorization, X.509 certificates, cryptography, and logging & monitoring. It specifies authentication methods, authorization policies, X.509 certificate management, cryptographic algorithms, and logging practices to ensure secure communication within ISTIO environments. The requirements cover aspects such as supporting various authentication mechanisms, enforcing URL-level authorization, validating X.509 certificates, using standard cryptographic algorithms, and generating security audit logs for analysis and monitoring.

sanllehy
Download Presentation

ISTIO Security Requirements and Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISTIO Security Requirements – Authentication 1. ISTIO MUST support HTTP Basic Auth, PKI authentication using X.509 certificates, OAuth using an operator Authorization Server, and integration with an Operator provided web SSO. 2. ISTIO MUST NOT identify the reason for an authentication failure to the user. 3. ISTIO MUST forward the identity of the requester (subject) to the microservice implementing the API once the requester has been authenticated. 4. ISTIO MUST integrate with AAF for password-based authentication.

  2. ISTIO Security Requirements – Authorization 5. ISTIO MUST enforce URL-level authorization. 6. ISTIO MUST integrate with AAF for authorization policy management. 7. ISTIO MUST cache authorization policies. 8. ISTIO MUST update the authorization cache when notified of a change to the authorization policies.

  3. ISTIO Security Requirements – X.509 Certificates 9. ISTIO MUST allow the Operator to configure the RFC5280 complaint Certificate Authority (CA) within ISTIO 10.ISTIO MUST be capable of validating any X.509 certificates issued from any Certificate Authority (CA) that is compliant with RFC5280, e.g., a public CA such as DigiCert or Let's Encrypt, or an RFC5280 compliant Operator CA. 11.ISTIO MUST be capable of acting as a Registration Authority (RA) when managing X.509 certificates. 12.ISTIO SHOULD support an automated certificate management protocol such as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or Automated Certificate Management Environment (ACME).

  4. ISTIO Security Requirements – X.509 Certificates 13.ISTIO MUST provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate. 14.ISTIO MUST provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate. 15.ISTIO MUST provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation List (CRL) for the certificates of that type to ensure that the certificate has not been revoked. 16.ISTIO MUST provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate — the “distinguished name”.

  5. ISTIO Security Requirements – Cryptography 17.ISTIO MUST use NIST and industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. 18.ISTIO MUST NOT use keys generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data. 19.ISTIO MUST NOT use compromised encryption algorithms. For example, SHA, DSS, MD5, SHA-1 and Skipjack algorithms. 20.ISTIO MUST use standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors or obtained from reputable open source communities. 21.ISTIO MUST support HTTP/S using TLS v1.2 or higher with strong cryptographic ciphers. 22.ISTIO MUST provide the ability to migrate to newer versions of cryptographic algorithms and protocols with minimal impact.

  6. ISTIO Security Requirements – Logging & Monitoring 23.ISTIO MUST generate security audit logs that can be sent to Security Analytics Tools for analysis. 24.ISTIO MUST log successful and unsuccessful authentication attempts. 25.ISTIO MUST log the field “event type” in the security audit logs. 26.ISTIO MUST log the field “date/time” in the security audit logs. 27.ISTIO MUST log the field “protocol” in the security audit logs. 28.ISTIO MUST log the field “service or program used for access” in the security audit logs. 29.ISTIO MUST log the field “success/failure” in the security audit logs. 30.ISTIO MUST log the field “Login ID” in the security audit logs. 31.ISTIO MUST NOT include an authentication credential, e.g., password, in the security audit logs, even if encrypted. 32.ISTIO MUST activate security alarms automatically when a configurable number of consecutive unsuccessful login attempts is reached.

More Related