Integrating reactive cloud applications in SERECA

Abstract

A consolidated trend in designing cloud-based applications is to make use of a reactive microservice architecture, which allows to divide an application in several well-partitioned software units with specific responsibilities. Such an architecture perfectly' fits in cloud environments, ensuring a number of advantages (i.e. high availability and scalability, ease of deployment and development). However, the new way of designing cloud applications introduces challenging security threats. Besides the difficulty in monitoring security of the overall distributed application, an important aspect of concern relates to the risk of break the chain of trust established among the different microservices belonging to the application. That is, a compromised single microservice may bring down the other related ones. In this paper, we present the approach pursued in the context of SERECA1 project to secure microservice based applications. We leveraged the new extension of Intel's CPU, namely Software Guard extension (SGX), to enhance the security of applications using Eclipse Vert.x, the tool-kit for building reactive cloud applications. We developed an infrastructure composed by several SGX-enabled facilities (e.g. Database, Containers, Coordination Services) to support the process of integration between Intel SGX and micro-service applications. Our platfonn has been, then, validated through two use cases that made use of the developed secure facilities, i.e., a Critical Infrastructure (CI) monitoring application - having strong requirements in terms of data integrity - And an application for performance analysis of cloud-based services where the confidentiality of data is of main interest.