Enforcing Least-Privilege for Cloud Orchestrators

Today’s cloud applications increasingly rely on third-party workload orchestration services that assist with provisioning of cloud resources. Unfortunately, such services require users to hand over their cloud credentials. An attacker who compromises a workload orchestrator can therefore access sensitive data and code in the user’s cloud deployment.

Skydentity solves this problem with request permissions, which decouple the permission to manage resources from the permission to access resources. To do so without cooperation from cloud providers, we implement Skydentity as a proxy that interposes on workload orchestrator requests to cloud providers, checks them against user-provided policies, and provides credentials only to authorized requests. Using a design inspired by capability-oriented authorization, Skydentity restricts the operations a workload orchestrator can perform to those pre-authorized by a user policy, and always prevents the workload orchestrator from accessing user credentials.

Our prototype of Skydentity supports a range of typical workload orchestration use cases, such as job management, data management, and analytics, and imposes modest overheads. Added cost is 1.75 cents or less for a typical workload, and latency overheads are at most 3% for VM-based jobs and 20% for storage jobs on clouds that support scoped tokens.


Samyu Yagati, Alec Li, Karthik Dharmarajan, Romil Bhardwaj, Sam Kumar, Raluca Popa, Malte Schwarzkopf, Ion Stoica