Known networked services are susceptible to costly security risks such as data breaches, corruption, or service disruption. To prevent or mitigate such security risks, some known network infrastructures include layers of authentication and authorization (AuthNZ) systems to restrict access to protected resources. Deploying and maintaining layers of AuthNZ systems, however, may impose large management burdens on system administrators. Moreover, deploying and maintaining multiple AuthNZ systems increases opportunities to make configuration mistakes that might accidentally open security holes.
Even without any configuration mistakes, known AuthNZ systems leave its protected resources vulnerable to threat vectors such as network spoofing, leakage of long-lived credentials, or host compromise. Some known AuthNZ systems, for example, are deployed and managed individually, with little or no ability for cross-layer coordination. When network firewall rules and password authentication procedures are processed independently, a network firewall employing an “allow rule,” for example, may allow a client service presenting leaked credentials (e.g., credentials of another client service) to gain unauthorized access to protected resources on a destination service. Other shortcomings of known AuthNZ systems include the burden they impose on application developers to modify their source code, thereby limiting portability and increasing development and testing costs, and their limited or lack of support for a wide range of application layer protocols, thereby failing to protect services using unsupported protocols.