search menu icon-carat-right cmu-wordmark

Microservices: Confidentiality Hates Decoupling

May 2019 Presentation
Jawad Damir (Jordan University of Science and Technology)

This presentation considers the confidentiality issues associated with the microservices architecture and proposes countermeasures to prevent or mitigate their impact.

Publisher:

Software Engineering Institute

Watch

Abstract

Despite the benefits of microservices, this architecture has introduced some security challenges. In my talk, I will focus on the confidentiality issues associated with this contemporary architecture. My point is that microservices architecture could introduce major insider threats to data confidentiality.

First, being authorized to call a web service does not necessarily grant the user the right to request the data of any resource. Users shall always use the web services for the best interest of businesses and customers. Imagine a hospital web application that uses the microservices architecture to implement the backend web services. One web service could be responsible for returning patients’ confidential data, such as full name, address, phone number, and picture. Such a web service is needed in several places of the application. As microservices are decoupled, it would be difficult for this web service to distinguish between legitimate and illegitimate requests. As a result, a data breach could happen. Using coarse-grained web services, however, mitigates the impact of this threat. This is because each user will have access to a limited subset of the confidential data. Access to confidential data is controlled by the user’s permissions to each hospital software module.

In my talk, I will discuss this security issue, and I will propose some security countermeasures to prevent or mitigate its impact in the applications that use microservices architecture.