Exploring Microservice Security
Abstract
Due to rapid transitioning towards digitalized society and extended reliance on interconnected digital systems, computer security is a field of growing importance. Software that we build should be secure, resilient and reliable both against accidents and targeted attacks. The microservice architecture, or concisely microservices, is a recent trend in software engineering and system design. Microservices are a way to build scalable and flexible distributed applications as a collection of loosely coupled services communicating over a network. In this thesis, we study the microservice architectural style from a security perspective. The contributions are as follows. We show that microservice architecture has inherent security benefits in terms of isolation and diversity. We explore how these inherent security benefits of microservices can be improved even further by maximizing interface security, avoiding unnecessary node relationships, introducing asymmetric node strength, and using N-version programming. We design a taxonomy of microservice security giving an overview of the existing security threats and mitigations. In this thesis, we argue that the defense in depth principle should be adopted for microservices. We discuss several prominent microservice security trends in industry. Furthermore, we present an open source prototype security framework for microservices. We take the defense in depth principle even further by focusing our attention on the self-protection and adaptive security properties. Also, we propose an architecture of an automated intrusion response system for microservices that uses gametheoretic approach. Finally, we analyze the security properties of the REST style, the most typical microservice integration solution.
Has parts
Paper I: Tetiana Yarygina, Anya Helene Bagge, Overcoming Security Challenges in Microservice Architectures, In: 12th IEEE Symposium on Service-Oriented System Engineering. SOSE 2018. pp.11-20. https://doi.org/10.1109/sose.2018.00011Paper II: Christian Otterstad, Tetiana Yarygina, Low-Level Exploitation Mitigation by Diverse Microservices, In: De Paoli F., Schulte S., Broch Johnsen E. (eds) 6th European Conference on Service-Oriented and Cloud Computing. ESOCC 2017. Lecture Notes in Computer Science, vol 10465, pp.49-56. Springer, Cham, https://doi.org/10.1007/978-3-319-67262-5_4
Paper III: Tetiana Yarygina, Christian Otterstad, A Game of Microservices: Automated Intrusion Response, In: Bonomi S. and Rivière E. (eds) 18th IFIP International Conference on Distributed Applications and Interoperable Systems. DAIS 2018. Lecture Notes in Computer Science, vol 10853, pp.1–9. Springer. https://doi.org/10.1007/978-3-319-93767-0_12
Paper IV: Tetiana Yarygina, RESTful Is Not Secure, In: Batten L., Kim D., Zhang X., Li G. (eds) 8th International Conference on Applications and Techniques in Information Security. ATIS 2017. Communications in Computer and Information Science, vol 719, pp.141-153. Springer, Singapore. DOI: 10.1007/978- 981-10-5421-1_12.