A Fully Decentralized Architecture for Access Control Verification in Serverless Environments

Serverless computing is a novel paradigm that has been widely adopted, in recent years, across many sectors due to its fine-grained scalability and fast time-to-market. This paradigm aims at offloading users from heavy burden tasks including those related to authentication and authorization. However, existing security mechanisms provided by cloud providers do not seem to be adequate to completely secure serverless platforms. In particular, typical access control solutions rely either on centralized authorization services or implement access control verification within the business logic. These approaches respectively degrade system performance and lead to security issues derived from the tight coupling among code and authorization verification. In this paper, we present a solution to address these problems with a fully decentralized architecture integrating access control verification in serverless environments. We implemented a prototype of the proposed architecture and evaluated its performance under different load conditions. Experiments show that our proposal outperforms other approaches.