Sidecar-based Path-aware Security for Microservices

Abstract

Microservice architectures decompose web applications into loosely-coupled, distributed components that interact with each other to provide an overall service. While this popular software architecture paradigm has many advantages in development and deployment, it also introduces a wider attack surface that is vulnerable to both internal and external attackers. Potentially malicious third-party services or software packages, as well as increased communication endpoints, introduce a wide array of security concerns. To improve the resiliency of microservice-based applications, many of which store sensitive data, we propose a novel, path-based anomaly detection and access control infrastructure that requires no modifications to existing software. We propose leveraging trusted proxies deployed alongside each service for request inspection, anomaly detection and signed token propagation for end-user path validation. Our approach reduces the trusted computing base away from the microservices to a smaller set of components that allow for less trust and a smaller attack surface.