Purpose

The purpose of this document is to describe the security architecture of mim OE, particularly with regard to access permissions and data security.

Intended Readers

The intended readers of this document are software developers, system engineers, application architects, deployment and security personnel as well as other technical professionals who want to understand the details of mim OE Security Framework.

What You Will Learn from this Document

After reading this document, you will:

• Understand the general security framework of the mimik ecosystem
• Understand how security tokens protect access to microservices on devices running the mim OE Runtime.
• Understand how data is secured and protected during information exchanges between microservices in a mim OE cluster

What You Need to Know Before You Start

In order to get the full benefit from reading this document, you need to have:

• The general principles of network security
• An understanding the the mim OE Runtime and how it supports microservices

The Essentials of mim OE Security

The mim OE Runtime provides secure access and communication to and between microservices by making it so that a unique Access Token is required to interact with the edge Service Mesh to do discovery about mim OE enabled nodes and devices within a hybrid edge cloud. Then once a node is discovered, the same Access Token is used to work with the microservice within the given node.

Finally, all communication between microservices in a mimik enabled Hybrid edgeCloud is conducted within encrypted data exchange channels. Encoding and decoding data between microservices is facilitated using the Access Token that is unique to the particular mim OE device.

Using Security Tokens to access a edge microservice

The particulars of the Access Token are discussed in the Key Concepts section, Understanding mimik Tokens

Understanding mim OE Data Encryption

As mentioned previously, all data exchanged between microservices is encrypted. Developers use the mim OE Context Object to decrypt data received from a microservice running under the mim OE Runtime. (The particulars of the mim OE Context Object are discussed in the Key Concepts section, Understanding the mim OE Context Object.)

The following code snippet shows how the mim OE Context Object is used to decrypt data:

1: context.edge.decryptEncryptedNodesJson({
2:     type: 'local',
3:     data,
4:     token,
5:     success: function(result) { // success option
6:         response.end(JSON.stringify(JSON.parse(result.data), null, 2));
7:     },
8:     error: function(err) {
9:         response.end(err.message);
10:     }
11: });

WHERE

• type indicates the cluster type
• data is the encrypted data received from an API running under the mim OE Runtime
• token is the Access Token for the particular device
• success is the JavaScript function that will process the decrypted data in result.data
• error is the JavaScript function that will process an error that's raised when executing decryptEncryptedNodesJson