Security Analysis of Microservice Choices

Abstract: Security research is beneficial for companies that want their system protected against threats to their business. The focus of this project is on security considerations. These considerations are with regards to when companies want to evaluate the benefits of extracting microservices from their monolithic system. The problem with this task is that extracting microservices have potential effects on security. Changing a systems design could lead to potential security risks which need to be considered. This type of problem is on a high difficulty level because of the amount of abstraction and research required to analyze the system regarding the security aspect. Since the problem requires abstractions and analysis of the system both pre and post-extraction it also becomes a big task to complete. The problem is solved with threat modeling and also by using the National Institute of Standards and Technology guidelines and by measuring The Common Misuse Scoring System scores and Return Of Security Investment costs. The results show an increase in security by allowing a function to become a microservice. The increase mainly came from how access changes with the extracted service. The result also showcased that movements towards the cloud meant more security regarding access when compared to the system before a microservice was extracted. The reasoning being that cloud services could provide more access control surface for functions. With the results, the host company and companies with similar software architecture can see how a function will affect security if extracted into a microservice. Further research should be conducted upon a larger pool of microservices. These should then be examined if the trend of security increase keeps occurring. The results can be further examined with penetration testing which puts more practical work upon the theoretical work that was done in this thesis. The research also showcases the adaptability of the National Institute of Standards and Technology guides steps and how similar research regarding security comparisons can be made.