Core Concepts
This paper proposes a novel approach for integrating advanced privacy techniques, such as data minimization and purpose limitation, into the high-performance gRPC framework for microservice communication in a configurable and extensible manner.
Abstract
The paper presents a general approach and a proof-of-concept implementation for integrating privacy techniques into gRPC-based microservice communication. The key highlights are:
Motivation: Microservice architectures and gRPC are widely adopted, but lack advanced privacy techniques beyond basic transport encryption and authentication. This is problematic for fulfilling regulatory requirements around data minimization and purpose limitation.
Approach: The authors propose a server-side middleware solution implemented as a gRPC response interceptor. It separates the Policy Administration Point (PAP) and Policy Decision Point (PDP) from the Policy Enforcement Point (PEP) to minimize performance overhead. JSON Web Tokens (JWTs) are used to securely exchange access policy decisions between services.
Implementation: The authors implement the PAP/PDP and PEP components in Go. The PEP interceptor applies various data minimization techniques (suppression, generalization, noising, reduction) based on the access policy retrieved from the JWT.
Evaluation: A preliminary performance evaluation in a food delivery microservice scenario shows the approach introduces reasonable overhead in terms of latency and throughput, with the choice of data minimization techniques having a significant impact.
Limitations and Future Work: The authors identify areas for improvement, such as advanced purpose-based access control, support for streaming communication, and extension of data minimization techniques. Further performance assessments are also proposed.
Overall, the paper presents a viable solution for integrating advanced privacy techniques into real-world gRPC-based microservice architectures, enabling regulatory compliance "by design".