IoT application providers increasingly use MicroService Architecture (MSA) to develop applications that convert IoT data into valuable information. The independently deployable and scalable nature of microservices enables dynamic utilization of edge and cloud resources provided by various service providers, thus improving performance. However, IoT data security should be ensured during multi-domain data processing and transmission among distributed and dynamically composed microservices. The ability to implement granular security controls at the microservices level has the potential to solve this. To this end, edge-cloud environments require intricate and scalable security frameworks that operate across multi-domain environments to enforce various security policies during the management of microservices (i.e., initial placement, scaling, migration, and dynamic composition), considering the sensitivity of the IoT data. To address the lack of such a framework, we propose an architectural framework that uses Policy-as-Code to ensure secure microservice management within multi-domain edge-cloud environments. The proposed framework contains a "control plane" to intelligently and dynamically utilise and configure cloud-native (i.e., container orchestrators and service mesh) technologies to enforce security policies. We implement a prototype of the proposed framework using open-source cloud-native technologies such as Docker, Kubernetes, Istio, and Open Policy Agent to validate the framework. Evaluations verify our proposed framework's ability to enforce security policies for distributed microservices management, thus harvesting the MSA characteristics to ensure IoT application security needs.

翻译：物联网应用提供商日益采用微服务架构（MSA）开发将物联网数据转化为有价值信息的应用程序。微服务独立可部署和可扩展的特性使其能够动态利用不同服务提供商提供的边缘与云端资源，从而提升性能。然而，在分布式且动态组合的微服务之间进行跨域数据处理与传输时，必须确保物联网数据的安全性。在微服务层面实施细粒度安全控制的能力有望解决这一问题。为此，边缘-云环境需要复杂且可扩展的安全框架，该框架需在考虑物联网数据敏感性的前提下，在微服务管理（即初始部署、扩缩容、迁移及动态组合）过程中跨多域环境执行各类安全策略。针对此类框架的缺失，本文提出一种采用策略即代码的架构框架，以确保多域边缘-云环境中的微服务安全管理。该框架包含一个“控制平面”，用于智能动态地利用和配置云原生技术（如容器编排器与服务网格）以实施安全策略。我们使用Docker、Kubernetes、Istio及Open Policy Agent等开源云原生技术实现了该框架的原型系统以进行验证。评估结果证实了所提框架能够为分布式微服务管理执行安全策略，从而充分发挥MSA特性以满足物联网应用的安全需求。