ISTIO Security Requirements Authentication 1 ISTIO MUST support

ISTIO Security Requirements – Authentication 1. ISTIO MUST support HTTP Basic Auth, PKI authentication using X. 509 certificates, OAuth using an operator Authorization Server, and integration with an Operator provided web SSO. 2. ISTIO MUST NOT identify the reason for an authentication failure to the user. 3. ISTIO MUST forward the identity of the requester (subject) to the microservice implementing the API once the requester has been authenticated. 4. ISTIO MUST integrate with AAF for password-based authentication. 1

ISTIO Security Requirements – Authorization 5. ISTIO MUST enforce URL-level authorization. 6. ISTIO MUST integrate with AAF for authorization policy management. 7. ISTIO MUST cache authorization policies. 8. ISTIO MUST update the authorization cache when notified of a change to the authorization policies. 2

ISTIO Security Requirements – X. 509 Certificates 9. ISTIO MUST allow the Operator to configure the RFC 5280 complaint Certificate Authority (CA) within ISTIO 10. ISTIO MUST be capable of validating any X. 509 certificates issued from any Certificate Authority (CA) that is compliant with RFC 5280, e. g. , a public CA such as Digi. Cert or Let's Encrypt, or an RFC 5280 compliant Operator CA. 11. ISTIO MUST be capable of acting as a Registration Authority (RA) when managing X. 509 certificates. 12. ISTIO SHOULD support an automated certificate management protocol such as CMPv 2, Simple Certificate Enrollment Protocol (SCEP) or Automated Certificate Management Environment (ACME). 3

ISTIO Security Requirements – X. 509 Certificates 13. ISTIO MUST provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate. 14. ISTIO MUST provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate. 15. ISTIO MUST provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation List (CRL) for the certificates of that type to ensure that the certificate has not been revoked. 16. ISTIO MUST provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate — the “distinguished name”. 4

ISTIO Security Requirements – Cryptography 17. ISTIO MUST use NIST and industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. 18. ISTIO MUST NOT use keys generated or derived from predictable functions or values, e. g. , values considered predictable include user identity information, time of day, stored/transmitted data. 19. ISTIO MUST NOT use compromised encryption algorithms. For example, SHA, DSS, MD 5, SHA-1 and Skipjack algorithms. 20. ISTIO MUST use standard implementations of security applications, protocols, and format, e. g. , S/MIME, TLS, SSH, IPSec, X. 509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors or obtained from reputable open source communities. 21. ISTIO MUST support HTTP/S using TLS v 1. 2 or higher with strong cryptographic ciphers. 22. ISTIO MUST provide the ability to migrate to newer versions of cryptographic algorithms and protocols with minimal impact. 5

ISTIO Security Requirements – Logging & Monitoring 23. ISTIO MUST generate security audit logs that can be sent to Security Analytics Tools for analysis. 24. ISTIO MUST log successful and unsuccessful authentication attempts. 25. ISTIO MUST log the field “event type” in the security audit logs. 26. ISTIO MUST log the field “date/time” in the security audit logs. 27. ISTIO MUST log the field “protocol” in the security audit logs. 28. ISTIO MUST log the field “service or program used for access” in the security audit logs. 29. ISTIO MUST log the field “success/failure” in the security audit logs. 30. ISTIO MUST log the field “Login ID” in the security audit logs. 31. ISTIO MUST NOT include an authentication credential, e. g. , password, in the security audit logs, even if encrypted. 32. ISTIO MUST activate security alarms automatically when a configurable number of consecutive unsuccessful login attempts is reached. 6