A microservices-based architecture in applications and service mesh application infrastructure that provides various security services through service proxies has emerged as the widespread application environment for cloud-native applications. Which of the following is not a common type of authorization policy used in service mesh? (Wentz QOTD)
A. Service-level authorization policies
B. End user-level authorization policies
C. Model-based authorization policies
D. Circuit-level authorization policies

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Circuit-level authorization policies.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

The following is an excerpt from NIST SP 800-204B:

Fine-grained access control for microservices can be enforced through the configuration of authentication and access control policies. These policies are defined in the control plane of the service mesh, mapped into low-level configurations, and pushed into the sidecar proxies that form the data plane of the service mesh.

Authorization policies, just like their authentication counterparts, can be specified at the service level as well as the end user level. In addition, authorization policies are expressed based on constructs of an access control model and may vary based on the nature of the application and enterprise-level directives. Further, the location of the access control data may vary depending on the identity and access management infrastructure in the enterprise. These variations result in the following variables:

● Two authorization levels – service level and end user level
● Access control model used to express authorization policies
● Location of the access control data in a centralized or external authorization server or carried as header data

The supported access control in the service mesh uses abstraction to group one or more policy components (described below in Section 4.5.1) for specifying either service-level or end user-level authorization policies. Since microservices-based applications are implemented as APIs (e.g., Representational State Transfer (REST)ful API), authorization policy components described using key/value pairs will have attributes pertaining to an API, including the associated network protocols. The types of authorization policies are:

● Service-level authorization policies
● End user-level authorization policies
● Model-based authorization policies

Reference

• NIST SP 800-204B

---

應用程序和服務網格(Service mesh)應用程序基礎設施中基於微服務的架構，通過服務代理提供各種安全服務，已成為雲原生應用程序的廣泛應用環境。 以下哪項不是常見的服務網格授權策略類型？ (Wentz QOTD)
A. 服務級別(Service-level)授權策略
B. 最終用戶級(End user-level)授權策略
C. 基於模型(Model-based)的授權策略
D. 電路級(Circuit-level)授權策略