A RISK-ADAPTIVE ACCESS CONTROL MODEL FOR THE SERVICE MESH IN A MICROSERVICES ARCHITECTURE

Abstract

Cloud computing has transformed our lives by enabling applications to be deployed at scale, allowing a broad range of customers to access services seamlessly. However, as cloud computing has evolved, several challenges have emerged, such as meeting high customer demands while maintaining system stability and scalability. As a result, the cloud community introduced cloud-native computing in 2015, enabling applications to be scaled efficiently to meet customers’ demands. The microservices architecture (MSA) is a key enabler of cloud-native application development. It allows developers to build an application's components loosely and independently as microservices (also referred to as services). Following and applying the MSA architecture has many benefits, such as a failure within a microservice may not affect the entire deployed MSA application. For example, a failure in the temperature display microservice functionality does not affect the core functionalities of other microservices, such as map navigation. The map navigation microservice will still operate without temperature data. As a result, an MSA application becomes more resilient to failure. However, MSA introduces challenges in securing communication between microservices where orchestration solutions cannot ensure secure communications. A rogue microservice could act as a backdoor, compromising other microservices within the MSA application after initial authentication and authorization at deployment. Thus, service mesh technology was introduced as an infrastructure layer within an orchestration solution in 2017 to handle robust security, such as secure microservices-to-microservices communication with features like mutual TLS. Nevertheless, the current service mesh solutions are not mature yet and still rely on static AC policies set at deployment. In addition, these static policies operate with implicit trust between microservices, which do not adapt to changes in response to the trustworthiness of microservice. As a result, the service mesh limits its ability to detect compromised microservices at runtime, requires manual AC policy updates, and creates security gaps. A dynamic AC model for the service mesh is crucial to continuously assess the trustworthiness of microservices based on their behavior and vulnerability posture to align with the Zero Trust (ZT) principle of “never trust, always verify.” Additionally, any proposed dynamic AC model for the service mesh must not only offer dynamic and adaptive AC policies but also address the research gap in service mesh in the lack of capabilities such as sharing threat intelligence and enforcing automated microservice owner compliance requirements at runtime. These capabilities are essential for continuous monitoring and adaptive security responses for MSA applications at runtime. To dynamically adjust AC policies at runtime based on the trustworthiness of microservices, this research introduces the Service Mesh risk-Adaptive Access Control (SMAAC). SMAAC consists of three components: (1) Runtime Trust Evaluator (RTE) that assigns a trust metric (TM) to all microservices based on their behaviors and vulnerabilities; (2) Threat Intelligence Sharing (TIS) that shares TM values and vulnerability reports of all microservices; and (3) Access Policy Generation (APG) that creates dynamic AC policies when the TM of a microservice falls below a compliant threshold. Evaluated on three research MSA applications μBench, Lakeside Mutual, and Train Ticket, SMAAC effectively shows an adaptive mechanism for creating compliant AC policies to secure the operations of microservices and reduce security risks.