Search

EP-4740121-A1 - METHOD FOR CHECKING AN ACCESSING OF ACCESS INFORMATION WITHIN A RUNTIME ENVIRONMENT, AND RUNTIME ENVIRONMENT SYSTEM, COMPUTER PROGRAM AND DATA CARRIER

EP4740121A1EP 4740121 A1EP4740121 A1EP 4740121A1EP-4740121-A1

Abstract

The invention relates to a method for checking an accessing of access information within a runtime environment (2), wherein a container entity (3, 7) can authenticate itself by means of at least one access information (5) in the runtime environment (2), the method comprising: - providing, by an orchestration unit (4), at least one access information (5), - assigning, by the orchestration unit (4), an access data guideline (6) to the access information (5), - assigning, by the orchestration unit (4), the access information (5) to at least one container entity (7), - detecting, by an anomaly detection unit (8), an accessing of the access information (5), - checking, by the anomaly detection unit (8), the detected accessing with respect to whether the detected accessing is performed by a container entity (7) assigned to the access information (5), and - if not: changing, by the orchestration unit (4), the one access information (5) on the basis of the corresponding access data guideline (6). The invention also relates to a runtime environment system (1), to a computer program (14) and to an electronically readable data carrier (15).

Inventors

  • Knierim, Christian

Assignees

  • Siemens Aktiengesellschaft

Dates

Publication Date
20260513
Application Date
20240717

Claims (15)

  1. 1. Method for checking access to access information within a runtime environment (2), wherein a container instance (3, 7) can authenticate itself in the runtime environment (2) by means of at least one access information (5), comprising: - providing at least one access information (5) by an orchestration unit (4) of the runtime environment (2), - Assigning an access data policy (6) to the at least one access information (5) by the orchestration unit (4), - Assigning the at least one access information (5) to at least one container instance (7) of the runtime environment (2) by the orchestration unit (4), - detecting at least one access to the at least one access information (5) by an anomaly detection unit (8), - checking the detected access by the anomaly detection unit (8) to determine whether the detected access is carried out by a container instance (7) associated with the at least one access information (5), and - if not: changing the at least one access information (5) on the basis of the corresponding access data policy (6) by the orchestration unit (4).
  2. 2. The method according to claim 1, wherein the changed at least one access information (5) is provided to the container instance (7) relating to the changing of the at least one access information (5).
  3. 3. Method according to claim 2, wherein the changed at least one access information (5) is transmitted to the container instance (7) and subsequently an update the container instance (7), wherein a monitoring function of the container instance (7) checks whether the changed at least one access information (5) could be updated in the container instance (7).
  4. 4. The method according to claim 3, wherein if the update could not be carried out successfully, corresponding information is transmitted to the orchestration unit (4) and then the orchestration unit (4) again changes the already changed access information (5), in particular the again changed access information (5) is transmitted to the container instance (7).
  5. 5. Method according to one of the preceding claims, wherein the orchestration unit (4) checks whether further container instances (3) use the at least one access information (5) which is changed, and if so, then the changed access information (5) is provided to these container instances (3).
  6. 6. Method according to one of the preceding claims, wherein the access data policy (6) specifies which measures are to be carried out in the event of unauthorized access to the at least one access information (5).
  7. 7. The method according to claim 6, wherein the measures include executing certain commands on a container instance (7) affected by the unauthorized access, sending certain instruction signals to a container instance (7) affected by the unauthorized access and/or reconfiguring a container instance (7) affected by the unauthorized access.
  8. 8. Method according to one of the preceding claims, wherein the access data policy (6) determines which user or process is permitted to access the at least one access information (5), in particular when Checking the detected access takes into account the credential policy (6).
  9. 9. Method according to one of the preceding claims, wherein, when checking the detected access, individual information concerning the container instance (7) associated with this access information (5) is provided to the anomaly detection unit (8).
  10. 10. Method according to one of the preceding claims, wherein on the basis of the at least one access information item (5) and the container instances (3, 7) of the runtime environment (2), an anomaly rule set (9) is generated by the orchestration unit (4) and provided to the anomaly detection unit (8), wherein the anomaly rule set (9) is taken into account when checking the detected access.
  11. 11. Method according to one of the preceding claims, wherein if it is determined during the checking of the detected access that the detected access is carried out by an unauthorized object, a corresponding warning signal is generated by the anomaly detection unit (8) and transmitted to the orchestration unit (4).
  12. 12. The method according to claim 11, wherein a situation-adapted modification of the at least one access information item (5) is carried out with the orchestration unit (4) on the basis of the warning signal.
  13. 13. Runtime environment system (1) with, - a runtime environment (2) , - several container instances (3) which can authenticate themselves by accessing at least one access information (5) within the runtime environment (2), - an orchestration unit (4) for providing the at least one access information (5), - the orchestration unit (4) which is designed to assign an access data policy (6) to the at least one access information (5), - the orchestration unit (4) which is designed to assign the at least one access information (5) to at least one container instance (7), - an anomaly detection unit (8) for detecting at least one access to the at least one access information (5), - the anomaly detection unit (8) which is designed to check the detected at least one access to determine whether the detected access is carried out by a container instance (7) associated with the at least one access information (5), and - the orchestration unit (4), which is designed to change the at least one access information item (5) on the basis of the corresponding access data policy (6) if the detected access is not carried out by the container instance (7) assigned to the at least one access information item (5).
  14. 14. Computer program (14) which can be loaded directly into a memory (13) of a control device (12) of a runtime environment system (1) according to claim 13, with program means for carrying out the steps of the method according to one of claims 1 to 12 when the program (14) is executed in the control device (12) of the runtime environment system (1).
  15. 15. Electronically readable data carrier (15) with electronically readable control information stored thereon, which is designed such that when the data carrier (15) is used in a control device (12) of a runtime environment system (1) according to claim 13, it carries out a method according to one of claims 1 to 12.

Description

Description Method for checking access to access information within a runtime environment, as well as runtime environment system, computer program and data carrier The invention relates to a method for checking access to access information within a runtime environment, wherein a container instance can authenticate itself in the runtime environment by means of at least one piece of access information. Furthermore, the invention relates to a runtime environment system, a computer program and an electronically readable data carrier. In container-based runtime environments, container instances are now created using an "image" or a container image and a "deployment" configuration, and resources of the underlying host or runtime environment are assigned to them. Resources can be specifically provided by an underlying runtime environment or by the host. In addition to hardware resources and software resources, it is common for individual instances or objects to authenticate themselves using access data such as SSH keys, private certification keys or passwords within or outside the runtime environment. This access data can be managed, restricted or restricted in access by an orchestrator, a "secret management system" or a central secret management system. Access control is usually carried out using "role-based access control". The instance can authenticate itself to the secret management system using a token. The secret management system authorizes the request and grants access to the access date or access data. Using the token, the instance can receive or "collect" the access date. It is also conceivable that the Orchestrator takes over access control and assigns the access date to the instance using a dynamically generated "volume" or an environment variable. To prevent such access data from being compromised, it is primarily transmitted in encrypted form and/or its validity is limited. One problem that cannot be solved in this way, however, is the case where an attacker is located directly on the runtime environment or the underlying device and is thus able to access the container instance and directly spy on the unprotected access data present within the instance and use it in another context. An application example here is a container-based industrial edge application, i.e. an application in a production or manufacturing line, which, for example, logs on to a backend system located outside the runtime environment using a unique password and for which no modern access mechanisms, such as restricted access tokens, can be used. The problem with this application example is that the password cannot be limited in time and, on the other hand, without access monitoring, it cannot be ensured that other applications on the device, system users or attackers cannot access the data and thus the password is read by an unauthorized entity. In the current state of the art, for example, it is possible for an IAM system (Identity Access Management System) to issue time-limited access tokens or certificates and to renew these if the requested system requests this from the IAM system. The problem here is that both the requested client and the target application support the integration of the IAM system. For example, support for the "OAuth" procedure, which is usually used in web-based applications, can be used. For example, there are procedures in which certificates or access tokens are issued for a limited period of time and the "sidecar container", which carries out the authentication, requests the access tokens or certificates independently. The "sidecar container" is specifically a container instance that carries out "delivery work" for the actual container instance. For example, it carries out the authentication to other services transparently for the actual container instance. There are also solutions that automatically rotate certificates and the associated keys. The rotation is controlled exclusively by the expiration date of the certificate, but not by suspicious access to the managed private key. An object of the present invention is to make access to access information, such as access data, of a runtime environment more secure by detecting unauthorized access to such access information more efficiently. This object is achieved by a method, a runtime environment system, a computer program and an electronically readable data carrier according to the independent patent claims. Useful further developments arise from the dependent patent claims. One aspect of the invention relates to a method for checking access to access information within a runtime environment, wherein a container instance can authenticate itself in the runtime environment by means of at least one access information, comprising: - In particular, providing at least one access information by an orchestration unit of the runtime environment, - In particular, assigning an access data policy to the at least one access information by the orchestration unit,