Towards Security-Aware Microservices: On Extracting Endpoint Data Access Operations to Determine Access Rights
Amr Abdelfattah, Micah Schiewe, Jacob Curtis, Tomas Cerny, Eunjee Song
2023
Abstract
Security policies are typically defined centrally for a particular system. However, the current mainstream architecture - microservices - introduces decentralization with self-contained interacting parts. This brings better evolution autonomy to individual microservices but introduces new challenges with consistency. The most basic security perspective is the setting of access rights; we typically enforce access rights at system endpoints. Given the self-contained and decentralized microservice nature, each microservice has to implement these policies individually. Considering that different development teams are involved in microservice development, likely the access rights are not consistently implemented across the system. Moreover, as the system evolves, it can quickly become cumbersome to identify a holistic view of the full set of access rights applied in the system. Various issues can emerge from inconsistent settings and potentially lead to security vulnerabilities and unintended bugs, such as incorrectly granting write or read access to system data. This paper presents an approach aiding a human-centered access right analysis of system endpoints in microservices. It identifies the system data that a particular endpoint accesses throughout its call paths and determines which operations are performed on these data across the call paths. In addition, it takes into account inter-service communication across microservices, which brings a great and novel instrument to practitioners who would otherwise need to perform a thorough code review of self-contained codebases to extract such information from the system. The presented approach has broad potential related to security analysis, further detailed in the paper.
DownloadPaper Citation
in Harvard Style
Abdelfattah A., Schiewe M., Curtis J., Cerny T. and Song E. (2023). Towards Security-Aware Microservices: On Extracting Endpoint Data Access Operations to Determine Access Rights. In Proceedings of the 13th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-758-650-7, SciTePress, pages 15-23. DOI: 10.5220/0011707500003488
in Bibtex Style
@conference{closer23,
author={Amr Abdelfattah and Micah Schiewe and Jacob Curtis and Tomas Cerny and Eunjee Song},
title={Towards Security-Aware Microservices: On Extracting Endpoint Data Access Operations to Determine Access Rights},
booktitle={Proceedings of the 13th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2023},
pages={15-23},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011707500003488},
isbn={978-989-758-650-7},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 13th International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - Towards Security-Aware Microservices: On Extracting Endpoint Data Access Operations to Determine Access Rights
SN - 978-989-758-650-7
AU - Abdelfattah A.
AU - Schiewe M.
AU - Curtis J.
AU - Cerny T.
AU - Song E.
PY - 2023
SP - 15
EP - 23
DO - 10.5220/0011707500003488
PB - SciTePress