Trusted Microservices: A Security Framework for Users' Interaction with Microservices Applications (original) (raw)
Related papers
Exploring Microservice Security
2018
Due to rapid transitioning towards digitalized society and extended reliance on interconnected digital systems, computer security is a field of growing importance. Software that we build should be secure, resilient and reliable both against accidents and targeted attacks. Themicroservice architecture, or conciselymicroservices, is a recent trend in software engineering and system design. Microservices are a way to build scalable and flexible distributed applications as a collection of loosely coupled services communicating over a network. In this thesis, we study the microservice architectural style from a security perspective. The contributions are as follows. We show that microservice architecture has inherent security benefits in terms of isolation and diversity. We explore how these inherent security benefits of microservices can be improved even further by maximizing interface security, avoiding unnecessary node relationships, introducing asymmetric node strength, and using N-v...
IT Professional
Microservices has drawn significant interest in recent years and is now successfully finding its way into different areas, from Enterprise IT to Internet-of-Things to even Critical Applications. This article discusses how Microservices can be secured at different levels and stages considering a common software development lifecycle.
Security of Microservice Applications: A Practitioners' Perspective on Challenges and Best Practices
2022
Cloud-based application deployment is becoming increasingly popular among businesses, thanks to the emergence of microservices. However, securing such architectures is a challenging task since traditional security concepts cannot be directly applied to microservice architectures due to their distributed nature. The situation is exacerbated by the scattered nature of guidelines and best practices advocated by practitioners and organizations in this field. This research paper we aim to shay light over the current microservice security discussions hidden within Grey Literature (GL) sources. Particularly, we identify the challenges that arise when securing microservice architectures, as well as solutions recommended by practitioners to address these issues. For this, we conducted a systematic GL study on the challenges and best practices of microservice security present in the Internet with the goal of capturing relevant discussions in blogs, white papers, and standards. We collected 31...
Authentic techniques of authentication in microservices
International Journal of Current Advanced Research
The rudimentary approach for developing software has been the monolithic way. Monolithic approach is still good for small scale teams and projects, nevertheless once scalability, flexibility and other requirements like fast development, short time to market, wider team alliance, and so on becomes gradually critical to accomplish business competitiveness, monolithic halts being profitable. This is where the Microservices architecture comes to rescue. Microservices is responsible for an intensive, scoped and modular tactic for application design. Microservices are small, autonomous services that work together. [1] It can be well elaborated using keywords: 'Faster development and Speed to production'. Microservices are deceptively termed to be code of limited length. Conversely, microservices are a piece of code which performs a single task and performs it soundly. They are independent in failure i.e. failure of a single component does not force the entire system to breakdown at once. The term micro indicates the services to be lightweight and which cannot be further divided into sub tasks and performs one task solely with minimal dependency on other services. They are independently scalable as well. The most perplexing part of microservices is defining the granularity of the services. Security in microservices is one of the least explored topics. This paper explores the various vulnerabilities in security and also presents the various methods deployed for providing authentication and authorization in microservi microservices depends on the idea of loose coupling and high
Security Design Patterns in Distributed Microservice Architecture
IJCSIS Vol 18 No. 7 July Issue, 2020
Abstract- Micro service architecture has revolutionized the landscape for the development of web and mobile applications alike. Due to the stateless nature and loose coupling involved in the design of micro services, native mobile applications can be developed by utilizing the same backend services which feed the inputs to the web application front ends. Extending the same concept, a plethora of automated devices, thanks to the advancements in the field of IOT, have come into existence which can feed on the same set of micro services. This concept of build once and utilize for many use cases has become a new norm in the enterprise design patterns. To handle the horizontal scalability needs of so many calling clients, significant advancements have been made on the containerization and their orchestration strategies on the public cloud platforms. However, scalable design techniques have led to the increased exposure of backend services to unwanted entities. This broadened the attack surface and also the risk. On top of it the mix of heterogeneous technologies in MSA, their distinct logging strategies, makes the central logging difficult, which in turn loosens the security. Additionally, the complexity around building the resilience for fault tolerance across the decentralized networks, adds to the security loop holes. The simple security designs which were once used with traditional web applications cannot be used for Microservice based applications. This paper articulates the innovative approaches of handling the security needs involved in protection of distributed services in Microservice architecture. Keywords—Microservice architecture; IOT, security patterns; OAuth, STS, fault tolerance, central logging
Fine-Grained Access Control for Microservices
Lecture Notes in Computer Science, 2019
Microservices-based applications are considered to be a promising paradigm for building large-scale digital systems due to its flexibility, scalability, and agility of development. To achieve the adoption of digital services, applications holding personal data must be secure while giving end-users as much control as possible. On the other hand, for software developers, adoption of a security solution for microservices requires it to be easily adaptable to the application context and requirements while fully exploiting reusability of security components. This paper proposes a solution that targets key security challenges of microservice-based applications. Our approach relies on a coordination of security components, and offers a fine-grained access control in order to minimise the risks of token theft, session manipulation, and a malicious insider; it also renders the system resilient against confused deputy attacks. This solution is based on a combination of OAuth 2 and XACML open standards, and achieved through reusable security components integrated with microservices.
Microservices have been adopted as a natural solution for the replacement of monolithic systems. Some technologies and standards have been adopted for the development of microservices in the cloud environment; API and REST have been adopted on a large scale for their implementation. The purpose of the present work is to carry out a bibliographic survey on the microservice architecture focusing mainly on security, privacy and standardization aspects on cloud computing environments. This paper presents a bundle of elements that must be considered for the construction of solutions based on microservices.
Low-Level Exploitation Mitigation by Diverse Microservices
Service-Oriented and Cloud Computing
This paper discusses a combination of isolatable microservices and software diversity as a mitigation technique against low-level exploitation; the effectiveness and benefits of such an architecture are substantiated. We argue that the core security benefit of microservices with diversity is increased control flow isolation. Additionally, a new microservices mitigation technique leveraging a security monitor service is introduced to further exploit the architectural benefits inherent to microservice architectures.
Building Secure Microservices-based Applications Using Service-Mesh Architecture
2020
This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.