Istio

NIST SP 800-204 §1: "A service mesh is a dedicated infrastructure layer that facilitates service-to-service communication through service discovery, routing and internal load balancing, traffic configuration, encryption, authentication and authorization, metrics, and monitoring." MS-SS-4: "Client to API gateway as well as Service to Service communication should take place after mutual authentication and be encrypted (e.g., using mutual TLS (mTLS) protocol). Frequently interacting services should create keep-alive TLS connections." MS-SS-1: "Authentication to microservices APIs that have access to sensitive data should not be done simply by using API keys. Access to such APIs should require authentication tokens that have either been digitally signed or is verified with an authoritative source."

SM-DR1: "All service-to-service communications within the cluster should be authenticated." SM-DR4: "The credentials used for authentication should be short-lived and frequently rotated." SM-DR6: "All traffic between services should be encrypted using mutual TLS." Istio implements these requirements through PeerAuthentication and AuthorizationPolicy resources.

NIST SP 800-204B §1: "With the disappearance of a network perimeter because of the need to provide ubiquitous access to applications from multiple remote locations using different types of devices, it is necessary to build the concept of zero trust into the application environment." §4.6.6 APE-SR-3: "A default policy should be authored in the system that rejects all requests that are unauthenticated, mandates that service and end-user credentials be present on every request, restricts all communication to services within the application's own namespace." ISMC-SR-1: "The signing certificate used by the service mesh's CA module should be rooted in the organization's existing Public Key Infrastructure (PKI)."

While focused on K8s, CIS benchmarks network segmentation that Istio enhances through service mesh policies and mTLS.

Official security hardening guide covering mTLS configuration, authorization policies, certificate management, and secure gateways.

SOC 2 CC6.7: "The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission." Istio implements automatic mTLS encryption for all service-to-service communication, directly supporting CC6.7 requirements for protecting data in transit with AES-256 encryption and strong cipher suites. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.8.24: "Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented." Istio provides automatic certificate management and key rotation through its control plane, implementing cryptographic controls that secure the confidentiality, integrity, and authenticity of service communications as required by A.8.24. Source: ISO/IEC 27001:2022 Annex A.

CCM IAM-02: "Identify and authenticate all users with a unique ID and manage authentication credentials in accordance with policies." CCM IAM-14: "Access credentials for service accounts shall be short-lived and frequently rotated." Istio implements workload identity through SPIFFE certificates with automatic rotation, directly supporting CCM IAM controls for service authentication. Source: CSA Cloud Controls Matrix v4.0.