Alibaba Cloud Service Mesh has become a leading vehicle for cloud-native zero trust systems. It offloads authentication and authorization from application code to the service mesh to create an out-of-the-box solution that is dynamically configurable, with convenient update strategies that take effect immediately. Using Kubernetes Network Policy to achieve three-layer network security control, ASM provides policy control based on OPA (Open Policy Agent) that includes peer authentication and request authentication capabilities, Istio authorization policies, and more sophisticated management functionality. The zero trust security capabilities provided by ASM help users achieve these security goals.

The theoretical principles underlying ASM include the following:

1) The basis of zero trust: Unified identity for cloud-native workloads. ASM provides simple and easy-to-use identity definitions for each workload under the service mesh as well as mechanisms tailored to specific scenarios that expand the identity construction system. It is also compatible with community SPIFFE standards.

2) Vehicle of zero trust: Security certificates. ASM provides mechanisms for issuing certificates and managing the lifecycle and rotation of certificates. Identities are established through X509 TLS certificates, and each agent uses this certificate. ASM also provides certificates and private key rotation.

3)Zero trust engine: Policy execution. A policy-based trust engine is the key to implementing zero trust. In addition to supporting the Istio RBAC authorization strategy, ASM also provides a more fine-grained authorization strategy based on OPA.

4) Zero trust insights: Visualization and analysis. ASM provides observable mechanisms for monitoring the logs and indicators of policy execution, allowing users to evaluate the execution of each policy.