Abstract
Online software services are often designed as multi-tenant, API-based, microservice architectures. However, sharing service instances and storing sensitive data in a shared data store causes significant security risks. Application-level access control plays a key role in mitigating this risk by preventing unauthorized access to the application and data. Moreover, a microservice architecture introduces new challenges for access control on online services, as both the application logic and data are highly distributed. First, unauthorized requests should be denied as soon as possible, preferably at the facade API. Second, sensitive data should stay in the context of its microservice during policy evaluation. Third, the set of policies enforced on a single application request should be consistent for the entire distributed control flow.
To solve these challenges, we present ThunQ, a distributed authorization middleware that enforces authorization policies both early at the facade API, as well as lazily by postponing authorization decisions to the appropriate data context. To achieve this, ThunQ leverages two techniques called partial evaluation and query rewriting, which support policy enforcement both at the facade API, as well as deep in the data tier.
We implemented and open-sourced ThunQ as a set of reusable components for the Spring Cloud and Data ecosystem. Experimental results in an application case study show that ThunQ can efficiently enforce authorization policies in microservice applications, with acceptable increases in latency as the number of tenants and access rules grow.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ahmadvand, M., Pretschner, A., Ball, K., Eyring, D.: Integrity protection against insiders in microservice-based infrastructures: from threats to a security framework. In: Mazzara, M., Ober, I., Salaün, G. (eds.) STAF 2018. LNCS, vol. 11176, pp. 573–588. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04771-9_43
Bertino, E., Sandhu, R.: Database security-concepts, approaches, and challenges. IEEE TDSC 2(1), 2–19 (2005)
Bogaerts, J., Lagaisse, B., Joosen, W.: Sequoia: a middleware supporting policy-based access control for search and aggregation in data-driven applications. IEEE TDSC 18(1) (2021)
Brenner, S., Hundt, T., Mazzeo, G., Kapitza, R.: Secure cloud micro services using intel SGX. In: Chen, L.Y., Reiser, H.P. (eds.) DAIS 2017. LNCS, vol. 10320, pp. 177–191. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59665-5_13
Brewer, D., Nash, M.: The Chinese wall security policy. In: Proceedings of IEEE S&P 1989 (1989)
Bystr, C., Heyman, J., Hamrén, J., Heyman, H., Holmberg, L.: Locust. https://locust.io/
Chen, J., Huang, H., Chen, H.: Informer: irregular traffic detection for containerized microservices RPC in the real world. In: Proceedings of SEC 2019. ACM (2019)
De Win, B., Piessens, F., Joosen, W., Verhanneman, T.: On the importance of the separation-of-concerns principle in secure software engineering. In: ACSAC - WAEPSSD (2003)
Faravelon, A., Chollet, S., Verdier, C., Front, A.: Configuring private data management as access restrictions: from design to enforcement. In: Liu, C., Ludwig, H., Toumani, F., Yu, Q. (eds.) ICSOC 2012. LNCS, vol. 7636, pp. 344–358. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34321-6_23
Guo, C.J., Sun, W., Huang, Y., Wang, Z.H., Gao, B.: A framework for native multi-tenancy application development and management. In: CEC-EEE (2007)
Hannousse, A., Yahiouche, S.: Securing microservices and microservice architectures: a systematic mapping study. Comput. Sci. Rev. 41, 100415 (2021)
Hu, V., et al.: Guide to attribute based access control (ABAC) definition and consideration. Technical report, NIST (2014)
Jin, H., Li, Z., Zou, D., Yuan, B.: Dseom: a framework for dynamic security evaluation and optimization of MTD in container-based cloud. IEEE TDSC 18(3) (2021)
Li, X., Chen, Y., Lin, Z., Wang, X., Chen, J.H.: Automatic policy generation for inter-service access control of microservices. In: USENIX Security 21. USENIX Association (2021)
Nehme, A., Jesus, V., Mahbub, K., Abdallah, A.: Fine-grained access control for microservices. In: Zincir-Heywood, N., Bonfante, G., Debbabi, M., Garcia-Alfaro, J. (eds.) FPS 2018. LNCS, vol. 11358, pp. 285–300. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-18419-3_19
Opyrchal, L., Cooper, J., Poyar, R., Lenahan, B., Daniel, Z.: Bouncer: policy-based fine grained access control in large databases. IJSIA 5(2), 1–16 (2011)
Osman, A., Bruckner, P., Salah, H., Fitzek, F.H.P., Strufe, T., Fischer, M.: Sandnet: towards high quality of deception in container-based microservice architectures. In: IEEE ICC (2019)
Parducci, B., Lockhart, H.: Extensible access control markup language (XACML) version 3.0. Standard, OASIS (2013)
Pereira-Vale, A., Fernandez, E.B., Monge, R., Astudillo, H., Márquez, G.: Security in microservice-based systems: a multivocal literature review. Comput. Secur. 103, 102200 (2021)
Preuveneers, D., Joosen, W.: Towards multi-party policy-based access control in federations of cloud and edge microservices. In: IEEE Euro S&PW (2019)
Ranjbar, A., Komu, M., Salmela, P., Aura, T.: Synaptic: secure and persistent connectivity for containers. In: IEEE/ACM CCGRID (2017)
Ravichandiran, R., Bannazadeh, H., Leon-Garcia, A.: Anomaly detection using resource behaviour analysis for autoscaling systems. In: NetSoft and Workshops (2018)
Richardson, C.: Microservices Patterns. Manning Publications Co. (2018)
Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: Proceedings of SIGMOD 2004. ACM (2004)
Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45608-2_3
Sandall, T.: Partial evaluation. https://blog.openpolicyagent.org/partial-evaluation-162750eaf422
Sandhu, R.S.: Lattice-based access control models. Computer 26(11), 9–19 (1993)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
ShuLin, Y., JiePing, H.: Research on unified authentication and authorization in microservice architecture. In: IEEE ICCT (2020)
da Silva, M.S.L., de Oliveira Silva, F.F., Brito, A.: Squad: a secure, simple storage service for SGX-based microservices. In: LADC (2019)
Sun, Y., Nanda, S., Jaeger, T.: Security-as-a-service for microservices-based cloud applications. In: IEEE CloudCom (2015)
Taibi, T., Lenarduzzi, V., Pahl, C.: Architectural patterns for microservices: a systematic mapping study. In: Proceedings of CLOSER. SciTePress (2018)
Torkura, K.A., Sukmana, M.I., Kayem, A.V., Cheng, F., Meinel, C.: A cyber risk based moving target defense mechanism for microservice architectures. In: IEEE BDCloud (2018)
Verhanneman, T., Piessens, F., De Win, B., Joosen, W.: Uniform application-level access control enforcement of organizationwide policies. In: ACSAC 2005 (2005)
Westkämper, T., Dijkstra, R., Tims, J., Bain, R.: Querydsl. http://www.querydsl.com/
Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE TDSC 12(5), 533–545 (2015)
Zaheer, Z., Chang, H., Mukherjee, S., Van der Merwe, J.: Eztrust: network-independent zero-trust perimeterization for microservices. In: Proceedings of SOSR 2019. ACM (2019)
Zhang, G., Liu, J., Liu, J., et al.: Protecting sensitive attributes in attribute based access control. In: Ghose, A. (ed.) ICSOC 2012. LNCS, vol. 7759, pp. 294–305. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37804-1_30
Keycloak. https://www.keycloak.org/
Rego. https://www.openpolicyagent.org/docs/latest/policy-language/
Open policy agent. https://www.openpolicyagent.org/
Spring boot. https://spring.io/projects/spring-boot
Spring data. https://spring.io/projects/spring-data
Spring cloud gateway. https://spring.io/projects/spring-cloud-gateway
Acknowledgement
We would like to thank the R&D team from Xenit Solutions NV and Paul C. Warren for their insightful discussions and contribution to the prototype.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Sauwens, M., Heydari Beni, E., Jannes, K., Lagaisse, B., Joosen, W. (2021). ThunQ: A Distributed and Deep Authorization Middleware for Early and Lazy Policy Enforcement in Microservice Applications. In: Hacid, H., Kao, O., Mecella, M., Moha, N., Paik, Hy. (eds) Service-Oriented Computing. ICSOC 2021. Lecture Notes in Computer Science(), vol 13121. Springer, Cham. https://doi.org/10.1007/978-3-030-91431-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-91431-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91430-1
Online ISBN: 978-3-030-91431-8
eBook Packages: Computer ScienceComputer Science (R0)