SEQUOIA: A Middleware Supporting Policy-Based Access Control for Search and Aggregation in Data-Driven Applications

“…The result set of this query is then passed back to Bouncer, which uses a postfilter to exclude any unauthorized records. However, postfiltering does not scale well for large result sets [3].…”

“…ThunQ is designed to efficiently enforce a consistent set of authorization policies on distributed application services and data. ThunQ combines partial policy evaluation [26] and query rewriting [2,3] to enforce authorization policies both early and lazily. Early enforcement denies unauthorized requests as soon as possible, while lazy enforcement pushes access decisions further down the distributed control flow.…”

“…Sequoia [3] combines the strengths of FGAC and Bouncer by rewriting database queries based on XACML policies. This approach results in low latency enforcement of expressive policies, even in systems with a large number of users.…”

“…However, these solutions require that sensitive data is brought outside of its microservice context. Other related work focuses on enforcing access control in application databases [3,16,24]. These solutions aim to restrict access by enforcing fine-grained authorization policies on the data records by either rewriting the original database query [3], defining authorization views [24] or by filtering database records after retrieving them from the database [16].…”

“…Other related work focuses on enforcing access control in application databases [3,16,24]. These solutions aim to restrict access by enforcing fine-grained authorization policies on the data records by either rewriting the original database query [3], defining authorization views [24] or by filtering database records after retrieving them from the database [16]. However, securing database access is only a part of the challenges to enforce a consistent set of authorization policies over a large number of microservices.…”

ThunQ: A Distributed and Deep Authorization Middleware for Early and Lazy Policy Enforcement in Microservice Applications

“…The result set of this query is then passed back to Bouncer, which uses a postfilter to exclude any unauthorized records. However, postfiltering does not scale well for large result sets [3].…”

“…ThunQ is designed to efficiently enforce a consistent set of authorization policies on distributed application services and data. ThunQ combines partial policy evaluation [26] and query rewriting [2,3] to enforce authorization policies both early and lazily. Early enforcement denies unauthorized requests as soon as possible, while lazy enforcement pushes access decisions further down the distributed control flow.…”

“…Sequoia [3] combines the strengths of FGAC and Bouncer by rewriting database queries based on XACML policies. This approach results in low latency enforcement of expressive policies, even in systems with a large number of users.…”

“…However, these solutions require that sensitive data is brought outside of its microservice context. Other related work focuses on enforcing access control in application databases [3,16,24]. These solutions aim to restrict access by enforcing fine-grained authorization policies on the data records by either rewriting the original database query [3], defining authorization views [24] or by filtering database records after retrieving them from the database [16].…”

“…Other related work focuses on enforcing access control in application databases [3,16,24]. These solutions aim to restrict access by enforcing fine-grained authorization policies on the data records by either rewriting the original database query [3], defining authorization views [24] or by filtering database records after retrieving them from the database [16]. However, securing database access is only a part of the challenges to enforce a consistent set of authorization policies over a large number of microservices.…”

ThunQ: A Distributed and Deep Authorization Middleware for Early and Lazy Policy Enforcement in Microservice Applications

Enforcement of separation of duty constraints in attribute-based access control

Data Synchronization Between MongoDB and Elasticsearch Using Monstache in Real-Time Data