Application Access Control in a Microservices World

Identity and Access Control

Identity and Access Control (IAM) is the part of security that constrains the actions that subjects can perform on resources in a system. A subject represents a human, a machine or a process that has access to a system. Resources represent objects that are manipulated by a system, eg: listings, invoices etc… Actions represent operations on resources that are manipulated by a system.

IAM as a problem can be decomposed into the following subproblems:

• Authentication: ensuring that a subject effectively represents who it claims to represent. For example: a human user can be authenticated by verifying the combination of a username and a password.
• Authorisation: controlling which actions can be performed on which resources by authenticated subjects. For example: permitting or preventing a user from editing a specific listing.
• Accounting: recording of the access control decisions and the actions that authenticated subjects performed on resources.

Each one of the above subproblems can also be further decomposed considering the concerns of management and execution.

Problem relevance and complexity

Protection of customers, systems, personal identifiable information

Complex relationships, fine granularity, flexibility/dynamism in the context (team arrangements, new services etc)

Design challenges and goals for microservices

Distributed architecture: performance, currency, where should rules be defined?

Reference Architecture

Reference Architecture (separation of concerns: information, decision, enforcement)

The Expressiveness Problem

Solution: ABAC, Policies (defined by Business)