Enhancing Security in Distributed Microservices through Zero-trust Architectures Using Spring Cloud and Kubernetes
Keywords:
Cloud-native security, Continuous authentication, Identity-centric security, Kubernetes, Microservices security, Mutual TLS, Service-to-service communication, Spring cloud, Zero-trust architectureAbstract
The increasing adoption of distributed microservices architectures, orchestrated via cloud-native platforms such as Spring Cloud and Kubernetes, has introduced significant complexities in securing dynamic and ephemeral service environments. Traditional perimeter-based security models are inadequate for addressing the expanded attack surface, inter-service communication vulnerabilities, and the absence of inherent trust boundaries inherent in such distributed systems. This research addresses a critical gap in the practical operationalization of zero-trust security principles tailored specifically to these cloud-native microservices contexts. The study aims to develop and validate a comprehensive zero-trust security framework that incorporates dynamic authentication, fine-grained authorization, continuous monitoring, and secure service-to-service communication within Spring Cloud and Kubernetes environments. Employing a qualitative methodology comprising a systematic literature review and semi-structured expert interviews with domain professionals, the research synthesizes theoretical constructs and empirical insights to ensure both conceptual rigor and practical feasibility. Findings reveal that identity-centric security forms the foundation of effective zero-trust implementations, while native platform security mechanisms require augmentation through automation and continuous observability to overcome operational complexities. The proposed framework addresses critical security challenges and provides actionable guidance for practitioners managing distributed microservices security postures. Consequently, this study contributes a validated, integrative model that advances the understanding and application of zero-trust architectures in contemporary cloud-native microservices deployments, bridging theoretical innovation with industry-relevant solutions.
References
S. Newman, Building Microservices: Designing Fine-Grained Systems. Sebastopol, CA, USA: O’Reilly Media, 2015.
N. Dragoni et al., “Microservices: Yesterday, today, and tomorrow,” in Present and Ulterior Software Engineering, M. Mazzara and B. Meyer, Eds. Cham, Switzerland: Springer, 2017, pp. 195–216.
S. Rose, O. Borchert, S. Mitchell, and S. Connelly, Zero Trust Architecture, NIST Special Publication 800-207. Gaithersburg, MD, USA: National Institute of Standards and Technology, Aug. 2020.
B. Varghese, N. Wang, S. Barbhuiya, P. Kilpatrick, and D. S. Nikolopoulos, “Challenges and opportunities in edge computing,” in Proc. IEEE Int. Conf. Smart Cloud (SmartCloud), New York, NY, USA, Nov. 2016.
J. Kindervag, S. Balaouras, K. Mak, and J. Blackborow, No More Chewy Centers: The Zero Trust Model of Information Security. Cambridge, MA, USA: Forrester Research, 2016.
J. Viswanathan, D. N. Kumar, and S. U. Kumar, “Zero trust security for web applications in microservice-based environments,” in Proc. 1st Int. Conf. Data, Computation and Communication (ICDCC), Bangalore, India, Nov. 2024, pp. 488–494.
A. Pereira-Vale, G. Marquez, H. Astudillo, and E. B. Fernandez, “Security mechanisms used in microservices-based systems: A systematic mapping,” in Proc. XLV Latin American Computing Conf. (CLEI), Panama City, Panama, Sep. 2019.
C. Pahl, “Containerization and the PaaS cloud,” IEEE Cloud Computing, vol. 2, no. 3, pp. 24–31, May–Jun. 2015.
Q. Chen, Y. Liu, R. Tan, et al., “Shadowkube: Enhancing Kubernetes security with behavioral monitoring and honeypot integration,” Cybersecurity, vol. 8, p. 63, 2025.
N. Mateus-Coelho, M. Cruz-Cunha, and L. G. Ferreira, “Security in microservices architectures,” Procedia Computer Science, vol. 181, pp. 1225–1236, 2021.
N. Surantha, F. Ivan, and R. Chandra, “A case analysis for Kubernetes network security of the financial service industry in Indonesia using zero trust model,” Bulletin of Electrical Engineering and Informatics, vol. 12, no. 5, pp. 3134–3141, Oct. 2023.
R. F. dos Santos, “Applying zero trust to Kubernetes clusters,” Applied Research on Information Systems Security, vol. 5, no. 1, 2025.
A. Dongiovanni, “Zero-trust network security model in containerized environments,” M.S. thesis, Politecnico di Torino, Turin, Italy, 2024.
B. Burns, B. Grant, D. Oppenheimer, E. Brewer, and J. Wilkes, “Borg, Omega, and Kubernetes,” ACM Queue, vol. 14, no. 1, pp. 70–93, Jan.–Feb. 2016.
C. Han, T. Kim, W. Lee, and Y. Shin, “S-ZAC: Hardening access control of service mesh using Intel SGX for zero trust in cloud,” Electronics, vol. 13, no. 16, p. 3213, Aug. 2024.
C. Pahl, A. Brogi, J. Soldani, and P. Jamshidi, “Cloud container technologies: A state-of-the-art review,” IEEE Transactions on Cloud Computing, vol. 7, no. 3, pp. 677–692, Jul.–Sep. 2019.
A. Poudel, P. Niroula, C. MacDonald, L. Gloudemans, and S. Herwig, “Mazu: A zero trust architecture for service mesh control planes,” in Proc. 18th European Workshop on Systems Security, Rotterdam, The Netherlands, Mar. 2025, pp. 49–55.
R. Alboqmi and R. F. Gamble, “Enhancing microservice security through vulnerability-driven trust in the service mesh architecture,” Sensors, vol. 25, no. 3, p. 914, Feb. 2025.
Gartner, Market Guide for Zero Trust Network Access. Stamford, CT, USA: Gartner Research, Aug. 2021.
A. Bryman, Social Research Methods, 5th ed. Oxford, UK: Oxford University Press, 2016.
V. Braun and V. Clarke, “Using thematic analysis in psychology,” Qualitative Research in Psychology, vol. 3, no. 2, pp. 77–101, Apr.–Jun. 2006.
