Inicio  /  Future Internet  /  Vol: 9 Par: 4 (2017)  /  Artículo
ARTÍCULO
TITULO

Access Control with Delegated Authorization Policy Evaluation for Data-Driven Microservice Workflows

Davy Preuveneers and Wouter Joosen    

Resumen

Microservices offer a compelling competitive advantage for building data flow systems as a choreography of self-contained data endpoints that each implement a specific data processing functionality. Such a ?single responsibility principle? design makes them well suited for constructing scalable and flexible data integration and real-time data flow applications. In this paper, we investigate microservice based data processing workflows from a security point of view, i.e., (1) how to constrain data processing workflows with respect to dynamic authorization policies granting or denying access to certain microservice results depending on the flow of the data; (2) how to let multiple microservices contribute to a collective data-driven authorization decision and (3) how to put adequate measures in place such that the data within each individual microservice is protected against illegitimate access from unauthorized users or other microservices. Due to this multifold objective, enforcing access control on the data endpoints to prevent information leakage or preserve one?s privacy becomes far more challenging, as authorization policies can have dependencies and decision outcomes cross-cutting data in multiple microservices. To address this challenge, we present and evaluate a workflow-oriented authorization framework that enforces authorization policies in a decentralized manner and where the delegated policy evaluation leverages feature toggles that are managed at runtime by software circuit breakers to secure the distributed data processing workflows. The benefit of our solution is that, on the one hand, authorization policies restrict access to the data endpoints of the microservices, and on the other hand, microservices can safely rely on other data endpoints to collectively evaluate cross-cutting access control decisions without having to rely on a shared storage backend holding all the necessary information for the policy evaluation.

 Artículos similares

       
 
Yogeswaranathan Kalyani, Liam Vorster, Rebecca Whetton and Rem Collier    
In the last decade, digital twin (DT) technology has received considerable attention across various domains, such as manufacturing, smart healthcare, and smart cities. The digital twin represents a digital representation of a physical entity, object, sys... ver más
Revista: Future Internet

 
Muhammad Umer Masood, Muhammad Rashid, Saif Haider, Iram Naz, Chaitanya B. Pande, Salim Heddam, Fahad Alshehri, Ismail Elkhrachy, Amimul Ahsan and Saad Sh. Sammen    
Groundwater is an important source of freshwater. At the same time, anthropogenic activities, in particular, industrialization, urbanization, population growth, and excessive application of fertilizers, are some of the major reasons for groundwater quali... ver más
Revista: Water

 
Soumya Prakash Otta, Subhrakanta Panda, Maanak Gupta and Chittaranjan Hota    
The unauthorized usage of various services and resources in cloud computing is something that must be protected against. Authentication and access control are the most significant concerns in cloud computing. Several researchers in this field suggest num... ver más
Revista: Future Internet

 
Elham Al Qahtani, Yousra Javed, Sarah Tabassum, Lipsarani Sahoo and Mohamed Shehab    
User adoption and usage of end-to-end encryption tools is an ongoing research topic. A subset of such tools allows users to encrypt confidential emails, as well as manage their access control using features such as the expiration time, disabling forwardi... ver más
Revista: Future Internet

 
Salman Ali AlQahtani    
With the advent of 5G networks, the demand for improved mobile broadband, massive machine-type communication, and ultra-reliable, low-latency communication has surged, enabling a wide array of new applications. A key enabling technology in 5G networks is... ver más
Revista: Future Internet