Platform / mTLS
FR EN

Platform

mTLS

mTLS: mutual authentication and encryption of all service-to-service communication.

Plane
Platform
Flow steps
2
Frameworks
NIST 800-53 · RFC 8705

Technology

Why use it

Make every service prove its identity to the other, and encrypt all internal traffic.

Why it matters to security

Removes implicit network trust: an attacker on the network can neither eavesdrop nor impersonate a service.

Implementations service mesh (Istio, Linkerd)SPIFFE / SPIREautomated short-lived certificates

On the network, trust no one without a certificate: identity, not address.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • TLS encryption of all communications.
    NIST 800-53 SC-8
    No internal traffic in clear.
  • Server authentication by certificate.
    NIST 800-53 SC-23
    The client verifies the called service’s identity.
  • Managed internal certificate authority.
    NIST 800-53 SC-12
    Certificates are issued and governed centrally.

Enterprise

Enterprise standard
  • Mutual authentication (client AND server).
    NIST 800-53 IA-9 · SC-8
    Each end proves its identity to the other.
  • Short-lived certificates, automatic rotation.
    NIST 800-53 SC-12
    A stolen certificate expires quickly.
  • mTLS-bound tokens (RFC 8705).
    RFC 8705
    The token is usable only from the service holding the certificate.

Advanced

High-assurance / regulated
  • Verifiable workload identity (SPIFFE).
    NIST 800-53 IA-9
    Each service has a strong, attested cryptographic identity.
  • Fast revocation wired to the PDP.
    NIST 800-53 AC-24
    A compromised certificate is invalidated without waiting for expiry.
  • Continuous session-authenticity verification.
    NIST 800-53 SC-23
    Channel authenticity is checked throughout the session.

Architecture notes

  • mTLS makes the “untrusted” network safe to use.details ▸
    It is the technical foundation of Zero-Trust micro-segmentation.
    Paired with workload identities (SPIFFE), it authenticates every service, everywhere.

References

NIST SP 800-53 Rev5
SC-8 (Transmission), SC-23 (Session Authenticity), SC-12 (Keys), IA-9 (Service Auth), AC-24.
RFC 8705
OAuth 2.0 mutual-TLS client-certificate-bound tokens (non-replayable).

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone