Many distributed applications hosted on the cloud or other infrastructures include multiple tiers. Such applications often employ distributed security policies at each component or tier so as to carry out security-related actions such as authorize incoming requests, detect intrusion, filter out data that may lead to command injection attacks or system state corruption, etc. Example policies include distributed firewall policies, distributed access control policies, and distributed database policies.
Accordingly, when a distributed application is architected and deployed, the associated policies are authored and deployed either as part of a larger top-level application-wide policy (that is, top-down decomposition of policies) or as part of an aggregation of independently authored security policies of individual components/tiers. Additionally, distributed policies for a single distributed application should be consistent and coherent in the security semantics to be implemented. However, challenges exist because some policies may remain inconsistent with other policies from the beginning of deployment or may become inconsistent as components evolve and/or are updated. Moreover, conflicts between policies can lead to conflicting admission control decisions regarding requests, which can lead to incomplete processing of requests and the potential to drop requests prematurely.
Consequently, a need exists to prevent admission of requests that are likely to be dropped at a later processing stage due to conflicting security policies deployed for different components of an application.