Desafios da Autenticação e Autorização na Comunicação entre Serviços em Arquiteturas de Microsserviços
Resumo
Nos últimos o uso de microsserviços surgiu como alternativa à arquitetura monolítica, devido aos vários benefícios que essa nova abordagem oferece. No entanto, essa transição trouxe consigo desafios relacionados à segurança. Esta pesquisa tem como objetivo compreender os principais desafios enfrentados e as soluções adotadas no contexto de autenticação e autorização em microsserviços. Sendo assim, foram avaliados 21 estudos, que revelaram os principais problemas e diversas soluções para mitigar tais problemas, como o uso de JSON Web Tokens (JWT), OAuth 2.0, protocolo mTLS (Mutual Transport Layer Security), Role-based Access Control Model (RBAC), OpenID Connect, Single Sign-On (SSO) e API Gateway.
Referências
Alshuqayran, N., Ali, N., and Evans, R. (2016). A systematic mapping study in microservice architecture. In 2016 IEEE 9th International Conference on Service-Oriented Computing and Applications (SOCA), pages 44–51. IEEE.
Bánáti, A., Kail, E., Karóczkai, K., and Kozlovszky, M. (2018). Authentication and authorization orchestrator for microservice-based software architectures. In 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pages 1180–1184. IEEE.
Billawa, P., Bambhore Tukaram, A., Díaz Ferreyra, N. E., Steghöfer, J.-P., Scandariato, R., and Simhandl, G. (2022). Sok: Security of microservice applications: A practitioners’ perspective on challenges and best practices. In Proceedings of the 17th International Conference on Availability, Reliability and Security, pages 1–10.
Cartaxo, B., Pinto, G., and Soares, S. (2018). The role of rapid reviews in supporting decision-making in software engineering practice. In Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, pages 24–34.
Catalfamo, A., Ruggeri, A., Celesti, A., Fazio, M., and Villari, M. (2021). A microservices and blockchain based one time password (mbb-otp) protocol for security-enhanced authentication. In 2021 IEEE Symposium on Computers and Communications (ISCC), pages 1–6. IEEE.
Cerny, T., Donahoo, M. J., and Trnka, M. (2018). Contextual understanding of microservice architecture: current and future directions. ACM SIGAPP Applied Computing Review, 17(4):29–45.
Conti, M., Dragoni, N., and Lesyk, V. (2016). A survey of man in the middle attacks. IEEE communications surveys & tutorials, 18(3):2027–2051.
de Almeida, M. G. and Canedo, E. D. (2022). Authentication and authorization in microservices architecture: A systematic literature review. Applied Sciences, 12(6):3023.
De Lauretis, L. (2019). From monolithic architecture to microservices architecture. In 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pages 93–96. IEEE.
Dilshan, D., Piumika, S., Rupasinghe, C., Perera, I., and Siriwardena, P. (2020). Mschain: blockchain based decentralized certificate transparency for microservices. In 2020 Moratuwa Engineering Research Conference (MERCon), pages 1–6. IEEE.
Dragoni, N., Giallorenzo, S., Lafuente, A. L., Mazzara, M., Montesi, F., Mustafin, R., and Safina, L. (2017). Microservices: yesterday, today, and tomorrow. Present and ulterior software engineering, pages 195–216.
Ethelbert, O., Moghaddam, F. F., Wieder, P., and Yahyapour, R. (2017). A json token-based authentication and access management schema for cloud saas applications. In 2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud), pages 47–53. IEEE.
Fu, G., Sun, J., and Zhao, J. (2018). An optimized control access mechanism based on micro-service architecture. In 2018 2nd IEEE Conference on Energy Internet and Energy System Integration (EI2), pages 1–5. IEEE.
Garousi, V., Felderer, M., and Mäntylä, M. V. (2019). Guidelines for including grey literature and conducting multivocal literature reviews in software engineering. Information and Software Technology, 106:101–121.
Gil, A. C. (2002). Como elaborar projetos de pesquisa, volume 4. Atlas.
Goel, A. and Thangaraju, B. (2022). Authenticating distributed systems using spire over kubernetes cluster. In 2022 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), pages 1–6. IEEE.
Greyhats, N. (2021). Server side request forgery. [link]. [Online; acesso em 25-Maio-2023].
Han, J., Yun, I., Kim, S., Kim, T., Son, S., and Han, D. (2022). Scalable and secure virtualization of hsm with scaletrust. IEEE/ACM Transactions on Networking.
He, X. and Yang, X. (2017). Authentication and authorization of end user in microservice architecture. In Journal of Physics: Conference Series, volume 910, page 012060. IOP Publishing.
Indu, I. and Anand, P. R. (2015). Identity and access management for cloud web services. In 2015 IEEE Recent Advances in Intelligent Computational Systems (RAICS), pages 406–410. IEEE.
Kretarta, A. B. and Kabetta, H. (2022). Secure user management gateway for microservices architecture apis using keycloak on xyz. In 2022 5th International Seminar on Research of Information Technology and Intelligent Systems (ISRITI), pages 7–13. IEEE.
Li, X., Chen, Y., and Lin, Z. (2019). Towards automated inter-service authorization for microservice applications. In Proceedings of the ACM SIGCOMM 2019 Conference Posters and Demos, pages 3–5.
Melton, R. (2021). Securing a cloud-native c2 architecture using sso and jwt. In 2021 IEEE Aerospace Conference (50100), pages 1–8. IEEE.
Namer, A. (2022). Multicast implementation over mutual transport layer security (mtls). [link]. Technical Disclosure Commons. [Online; acesso em 25-Maio-2023].
Pahl, M.-O. and Donini, L. (2018). Securing iot microservices with certificates. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium, pages 1–5. IEEE.
Pasomsup, C. and Limpiyakorn, Y. (2021). Ht-rbac: A design of role-based access control model for microservice security manager. In 2021 International Conference on Big Data Engineering and Education (BDEE), pages 177–181. IEEE.
Pereira-Vale, A., Márquez, G., Astudillo, H., and Fernandez, E. B. (2019). Security mechanisms used in microservices-based systems: A systematic mapping. In 2019 XLV Latin American Computing Conference (CLEI), pages 01–10. IEEE.
Petersen, K., Vakkalanka, S., and Kuzniarz, L. (2015). Guidelines for conducting systematic mapping studies in software engineering: An update. Information and software technology, 64:1–18.
PortSwigger (2023). Openid connect. [link]. [Online; acesso em 30-Maio-2023].
Preuveneers, D. and Joosen, W. (2019). Towards multi-party policy-based access control in federations of cloud and edge microservices. In 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 29–38. IEEE.
Sandhu, R. S. and Samarati, P. (1994). Access control: principle and practice. IEEE communications magazine, 32(9):40–48.
Satapathy, A., Livingston, J., et al. (2016). A comprehensive survey on ssl/tls and their vulnerabilities. International Journal of Computer Applications, 153(5):31–38.
ShuLin, Y. and JiePing, H. (2020). Research on unified authentication and authorization in microservice architecture. In 2020 IEEE 20th international conference on communication technology (ICCT), pages 1169–1173. IEEE.
Triartono, Z., Negara, R. M., and Sussi (2019). Implementation of role-based access control on oauth 2.0 as authentication and authorization system. In 2019 6th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI), pages 259–263.
Walsh, K. and Manferdelli, J. (2017). Mechanisms for mutual attested microservice communication. In Companion Proceedings of the10th International Conference on Utility and Cloud Computing, pages 59–64.
Xiong, Q. and Li, W. (2022). Design and implementation of microservices gateway based on spring cloud zuul. In CIBDA 2022; 3rd International Conference on Computer Information and Big Data Applications, pages 1–5. VDE.
Yang, J., Hou, H., Li, H., and Zhu, Q. (2021). User fast authentication method based on microservices. In 2021 IEEE International Conference on Power Electronics, Computer Applications (ICPECA), pages 93–98. IEEE.
Yarygina, T. and Bagge, A. H. (2018). Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pages 11–20. IEEE.
Zdun, U., Queval, P.-J., Simhandl, G., Scandariato, R., Chakravarty, S., Jelic, M., and Jovanovic, A. (2023). Microservice security metrics for secure communication, identity management, and observability. ACM Transactions on Software Engineering and Methodology, 32(1):1–34.
Bánáti, A., Kail, E., Karóczkai, K., and Kozlovszky, M. (2018). Authentication and authorization orchestrator for microservice-based software architectures. In 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pages 1180–1184. IEEE.
Billawa, P., Bambhore Tukaram, A., Díaz Ferreyra, N. E., Steghöfer, J.-P., Scandariato, R., and Simhandl, G. (2022). Sok: Security of microservice applications: A practitioners’ perspective on challenges and best practices. In Proceedings of the 17th International Conference on Availability, Reliability and Security, pages 1–10.
Cartaxo, B., Pinto, G., and Soares, S. (2018). The role of rapid reviews in supporting decision-making in software engineering practice. In Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, pages 24–34.
Catalfamo, A., Ruggeri, A., Celesti, A., Fazio, M., and Villari, M. (2021). A microservices and blockchain based one time password (mbb-otp) protocol for security-enhanced authentication. In 2021 IEEE Symposium on Computers and Communications (ISCC), pages 1–6. IEEE.
Cerny, T., Donahoo, M. J., and Trnka, M. (2018). Contextual understanding of microservice architecture: current and future directions. ACM SIGAPP Applied Computing Review, 17(4):29–45.
Conti, M., Dragoni, N., and Lesyk, V. (2016). A survey of man in the middle attacks. IEEE communications surveys & tutorials, 18(3):2027–2051.
de Almeida, M. G. and Canedo, E. D. (2022). Authentication and authorization in microservices architecture: A systematic literature review. Applied Sciences, 12(6):3023.
De Lauretis, L. (2019). From monolithic architecture to microservices architecture. In 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), pages 93–96. IEEE.
Dilshan, D., Piumika, S., Rupasinghe, C., Perera, I., and Siriwardena, P. (2020). Mschain: blockchain based decentralized certificate transparency for microservices. In 2020 Moratuwa Engineering Research Conference (MERCon), pages 1–6. IEEE.
Dragoni, N., Giallorenzo, S., Lafuente, A. L., Mazzara, M., Montesi, F., Mustafin, R., and Safina, L. (2017). Microservices: yesterday, today, and tomorrow. Present and ulterior software engineering, pages 195–216.
Ethelbert, O., Moghaddam, F. F., Wieder, P., and Yahyapour, R. (2017). A json token-based authentication and access management schema for cloud saas applications. In 2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud), pages 47–53. IEEE.
Fu, G., Sun, J., and Zhao, J. (2018). An optimized control access mechanism based on micro-service architecture. In 2018 2nd IEEE Conference on Energy Internet and Energy System Integration (EI2), pages 1–5. IEEE.
Garousi, V., Felderer, M., and Mäntylä, M. V. (2019). Guidelines for including grey literature and conducting multivocal literature reviews in software engineering. Information and Software Technology, 106:101–121.
Gil, A. C. (2002). Como elaborar projetos de pesquisa, volume 4. Atlas.
Goel, A. and Thangaraju, B. (2022). Authenticating distributed systems using spire over kubernetes cluster. In 2022 IEEE International Conference on Electronics, Computing and Communication Technologies (CONECCT), pages 1–6. IEEE.
Greyhats, N. (2021). Server side request forgery. [link]. [Online; acesso em 25-Maio-2023].
Han, J., Yun, I., Kim, S., Kim, T., Son, S., and Han, D. (2022). Scalable and secure virtualization of hsm with scaletrust. IEEE/ACM Transactions on Networking.
He, X. and Yang, X. (2017). Authentication and authorization of end user in microservice architecture. In Journal of Physics: Conference Series, volume 910, page 012060. IOP Publishing.
Indu, I. and Anand, P. R. (2015). Identity and access management for cloud web services. In 2015 IEEE Recent Advances in Intelligent Computational Systems (RAICS), pages 406–410. IEEE.
Kretarta, A. B. and Kabetta, H. (2022). Secure user management gateway for microservices architecture apis using keycloak on xyz. In 2022 5th International Seminar on Research of Information Technology and Intelligent Systems (ISRITI), pages 7–13. IEEE.
Li, X., Chen, Y., and Lin, Z. (2019). Towards automated inter-service authorization for microservice applications. In Proceedings of the ACM SIGCOMM 2019 Conference Posters and Demos, pages 3–5.
Melton, R. (2021). Securing a cloud-native c2 architecture using sso and jwt. In 2021 IEEE Aerospace Conference (50100), pages 1–8. IEEE.
Namer, A. (2022). Multicast implementation over mutual transport layer security (mtls). [link]. Technical Disclosure Commons. [Online; acesso em 25-Maio-2023].
Pahl, M.-O. and Donini, L. (2018). Securing iot microservices with certificates. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium, pages 1–5. IEEE.
Pasomsup, C. and Limpiyakorn, Y. (2021). Ht-rbac: A design of role-based access control model for microservice security manager. In 2021 International Conference on Big Data Engineering and Education (BDEE), pages 177–181. IEEE.
Pereira-Vale, A., Márquez, G., Astudillo, H., and Fernandez, E. B. (2019). Security mechanisms used in microservices-based systems: A systematic mapping. In 2019 XLV Latin American Computing Conference (CLEI), pages 01–10. IEEE.
Petersen, K., Vakkalanka, S., and Kuzniarz, L. (2015). Guidelines for conducting systematic mapping studies in software engineering: An update. Information and software technology, 64:1–18.
PortSwigger (2023). Openid connect. [link]. [Online; acesso em 30-Maio-2023].
Preuveneers, D. and Joosen, W. (2019). Towards multi-party policy-based access control in federations of cloud and edge microservices. In 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 29–38. IEEE.
Sandhu, R. S. and Samarati, P. (1994). Access control: principle and practice. IEEE communications magazine, 32(9):40–48.
Satapathy, A., Livingston, J., et al. (2016). A comprehensive survey on ssl/tls and their vulnerabilities. International Journal of Computer Applications, 153(5):31–38.
ShuLin, Y. and JiePing, H. (2020). Research on unified authentication and authorization in microservice architecture. In 2020 IEEE 20th international conference on communication technology (ICCT), pages 1169–1173. IEEE.
Triartono, Z., Negara, R. M., and Sussi (2019). Implementation of role-based access control on oauth 2.0 as authentication and authorization system. In 2019 6th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI), pages 259–263.
Walsh, K. and Manferdelli, J. (2017). Mechanisms for mutual attested microservice communication. In Companion Proceedings of the10th International Conference on Utility and Cloud Computing, pages 59–64.
Xiong, Q. and Li, W. (2022). Design and implementation of microservices gateway based on spring cloud zuul. In CIBDA 2022; 3rd International Conference on Computer Information and Big Data Applications, pages 1–5. VDE.
Yang, J., Hou, H., Li, H., and Zhu, Q. (2021). User fast authentication method based on microservices. In 2021 IEEE International Conference on Power Electronics, Computer Applications (ICPECA), pages 93–98. IEEE.
Yarygina, T. and Bagge, A. H. (2018). Overcoming security challenges in microservice architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE), pages 11–20. IEEE.
Zdun, U., Queval, P.-J., Simhandl, G., Scandariato, R., Chakravarty, S., Jelic, M., and Jovanovic, A. (2023). Microservice security metrics for secure communication, identity management, and observability. ACM Transactions on Software Engineering and Methodology, 32(1):1–34.
Publicado
18/09/2023
Como Citar
ARAÚJO, Lis; MARINHO, Edwin.
Desafios da Autenticação e Autorização na Comunicação entre Serviços em Arquiteturas de Microsserviços. In: WORKSHOP DE TRABALHOS DE INICIAÇÃO CIENTÍFICA E DE GRADUAÇÃO - SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 23. , 2023, Juiz de Fora/MG.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
p. 153-164.
DOI: https://doi.org/10.5753/sbseg_estendido.2023.234292.
