Consul Connect

NIST SP 800-204 §2.7: "Service meshes create a small proxy server instance for each service within a microservices application. This specialized proxy is sometimes called a 'sidecar proxy'. The sidecar proxy forms the data plane, while the runtime operations needed for enforcing security are enabled by injecting policies into the sidecar proxy from the control plane." MS-SS-3: "Service registry capabilities should be provided through servers that are either dedicated or part of a service mesh architecture. Service registry should have validation checks to ensure that only legitimate services are performing the registration." MS-SS-4: "Service to Service communication should take place after mutual authentication and be encrypted."

SM-DR8: "All traffic should be denied by default and explicitly allowed to required services (allowlisting)." SM-DR1: "All service-to-service communications should be authenticated." Consul implements these via ACL default-deny and Connect mTLS.

NIST SP 800-204B §3: "ABAC is defined as an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, (optionally) environmental conditions, and a set of policies." §4.2 ISMC-SR-1: "If certificate-based authentication is used for authenticating service calls, the signing certificate used by the service mesh's CA module should be rooted in the organization's existing Public Key Infrastructure (PKI) to allow for auditability, rotation, and revocation." §4.5.2 EUAZ-SR-2: "The sidecar should generate logs for every service request to ensure that authentication and authorization policies are enforced."

Official security guide covering ACLs, TLS, gossip encryption, and intentions for service-to-service authorization.

Federal guidance on implementing zero trust. Consul intentions and ACLs align with zero trust principles for service-to-service communication.

SOC 2 CC6.7: "The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission." Consul Connect implements automatic mTLS encryption through service mesh proxies, directly supporting CC6.7 requirements for protecting data in transit between services. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.8.24: "Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented." Consul Connect provides built-in certificate authority with automatic certificate rotation, implementing cryptographic controls that secure the confidentiality, integrity, and authenticity of service communications as required by A.8.24. Source: ISO/IEC 27001:2022 Annex A.

CCM IAM-02: "Identify and authenticate all users with a unique ID and manage authentication credentials in accordance with policies." CCM IAM-14: "Access credentials for service accounts shall be short-lived and frequently rotated." Consul Connect implements service identity through SPIFFE certificates with automatic rotation via its built-in CA, directly supporting CCM IAM controls for service authentication. Source: CSA Cloud Controls Matrix v4.0.