Towards Secure Management of Edge-Cloud IoT Microservices using Policy as Code

TL;DR

This paper presents a Policy-as-Code framework for secure management of IoT microservices across edge and cloud environments, leveraging cloud-native tools to enforce security policies during microservice lifecycle operations.

Contribution

It introduces an architectural framework that integrates Policy-as-Code with cloud-native technologies for scalable, secure microservice management in multi-domain edge-cloud IoT applications.

Findings

Framework effectively enforces security policies across distributed microservices.

Prototype demonstrates compatibility with Docker, Kubernetes, Istio, and Open Policy Agent.

Evaluation confirms improved security management in IoT edge-cloud environments.

Abstract

IoT application providers increasingly use MicroService Architecture (MSA) to develop applications that convert IoT data into valuable information. The independently deployable and scalable nature of microservices enables dynamic utilization of edge and cloud resources provided by various service providers, thus improving performance. However, IoT data security should be ensured during multi-domain data processing and transmission among distributed and dynamically composed microservices. The ability to implement granular security controls at the microservices level has the potential to solve this. To this end, edge-cloud environments require intricate and scalable security frameworks that operate across multi-domain environments to enforce various security policies during the management of microservices (i.e., initial placement, scaling, migration, and dynamic composition), considering the sensitivity of the IoT data. To address the lack of such a framework, we propose an architectural framework that uses Policy-as-Code to ensure secure microservice management within multi-domain edge-cloud environments. The proposed framework contains a "control plane" to intelligently and dynamically utilise and configure cloud-native (i.e., container orchestrators and service mesh) technologies to enforce security policies. We implement a prototype of the proposed framework using open-source cloud-native technologies such as Docker, Kubernetes, Istio, and Open Policy Agent to validate the framework. Evaluations verify our proposed framework's ability to enforce security policies for distributed microservices management, thus harvesting the MSA characteristics to ensure IoT application security needs.