Towards Secure and Leak-Free Workflows Using Microservice Isolation

by   Loïc Miller, et al.

Data leaks and breaches are on the rise. They result in huge losses of money for businesses like the movie industry, as well as a loss of user privacy for businesses dealing with user data like the pharmaceutical industry. Preventing data exposures is challenging, because the causes for such events are various, ranging from hacking to misconfigured databases. Alongside the surge in data exposures, the recent rise of microservices as a paradigm brings the need to not only secure traffic at the border of the network, but also internally, pressing the adoption of new security models such as zero-trust to secure business processes. Business processes can be modeled as workflows, where the owner of the data at risk interacts with contractors to realize a sequence of tasks on this data. In this paper, we show how those workflows can be enforced while preventing data exposure. Following the principles of zero-trust, we develop an infrastructure using the isolation provided by a microservice architecture, to enforce owner policy. We show that our infrastructure is resilient to the set of attacks considered in our security model. We implement a simple, yet realistic, workflow with our infrastructure in a publicly available proof of concept. We then verify that the specified policy is correctly enforced by testing the deployment for policy violations, and estimate the overhead cost of authorization.



There are no comments yet.


page 28

page 29


A Distributed Trust Framework for Privacy-Preserving Machine Learning

When training a machine learning model, it is standard procedure for the...

Decentralised Trust for the Digital Economy

We propose a research initiative to explore and evaluate end-user techno...

5G Network Slice Isolation

This article reveals an adequate comprehension of basic defense, securit...

Need for Critical Cyber Defence, Security Strategy and Privacy Policy in Bangladesh - Hype or Reality?

Cyber security is one of the burning issues in modern world. Increased I...

Design choices for productive, secure, data-intensive research at scale in the cloud

We present a policy and process framework for secure environments for pr...

5G Network Slice Isolation with WireGuard and Open Source MANO: A VPNaaS Proof-of-Concept

The fifth-generation (5G) mobile networks aim to host different types of...

Understanding TEE Containers, Easy to Use? Hard to Trust

As an emerging technique for confidential computing, trusted execution e...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.