Day 39 of #100DaysOfLearning

Microservices are controversial in many places due to the difficulty of their design and operation, and the difficulty of procuring and training development elements.

However, from an architectural perspective, it is clear that they have very good features.

1. Scalability: Microservices can be scaled independently, allowing for better resource utilization and cost savings.
2. Flexibility: Microservices can be developed, deployed, and maintained independently, allowing for faster development cycles and easier updates.
3. Resilience: Microservices can be designed to be fault-tolerant, meaning that if one service fails, the rest of the application can continue to function.
4. Technology diversity: Microservices can be developed using different technologies, allowing for greater flexibility in choosing the best tool for the job.
5. Organizational alignment: Microservices can be developed and maintained by small, cross-functional teams, allowing for better alignment with business goals and more efficient development processes.

In order to safely use microservices, which are an excellent architecture, it is necessary to have a good understanding of security. Therefore, today, I would like to discuss security issues related to microservices.

Microservices Security foundations

Securing Microservices involves addressing the distributed and dynamic nature of the architecture, implementing specialized security controls for different types of traffic, and understanding the unique challenges and advantages that come with a microservices approach. It's an ongoing process that requires careful consideration and adaptation of security strategies.

Security Fundamentals:

• Microservices security aligns with universal security objectives: confidentiality, integrity, and availability. Access control through authentication and authorization is crucial for protecting sensitive resources in a microservices architecture. Trust considerations involve assessing the reliability of information, and trust domains define segments where information is deemed trustworthy.

Microservices Security Challenges:

• Microservices architecture introduces unique challenges compared to monoliths, requiring a different security approach. The distributed nature of microservices increases the attack surface, making it essential to manage and secure various entry points. Challenges in North/South Traffic involve deciding where to perform authentication and authorization for external requests entering the system. East/West Traffic security is necessary to maintain confidentiality and integrity between microservices, especially across multiple trust domains. Identity propagation across microservices while ensuring integrity poses challenges that require specialized strategies. Despite challenges, microservices can offer advantages in terms of availability and containment of security incidents.

Adapting Security Strategies:

• Security strategies used in monolithic architectures need re-engineering for microservices. Each microservice exposes a port, requiring a dynamic approach to access control, authentication, and authorization. Specialized security controls are necessary for both North/South and East/West Traffic to ensure the confidentiality and integrity of data. Understanding the unique aspects of microservices security upfront is crucial for applying appropriate security measures.

Advantages and Considerations:

• Microservices' independence can provide advantages in terms of availability and containment of security incidents. Denial of service attacks may impact individual services, but the overall system can remain available. Lateral movement for attackers becomes challenging, limiting the potential impact of security breaches.

Identity Management and Access Control

Effective identity management and access control in microservices require leveraging IAM platforms, API gateways, and standardized protocols like OAuth. Security should be tailored to diverse access scenarios, and pre-existing platforms offer robust solutions that align with best practices in the field.

Distributed Access Management Patterns:

• Microservices rely on distributed access management patterns to handle identity and access control.
• These patterns involve the use of tokens for authentication and authorization, with roles played by identity services, reverse proxies (API gateways), and various security controls.

Identity and Access Management (IAM) Platforms:

• IAM platforms are critical components in microservices security, offering authentication and token management.
• Security capabilities, such as authentication, identity management, security standards implementation, and token management, are efficiently sourced from IAM platforms.

API Gateways as Reverse Proxies:

• API gateways, functioning as reverse proxies, provide a centralized entry point for all microservices traffic.
• They enforce security controls, including token verification, access control policies, and traffic management policies like spike arrest and quota limits.

Access Scenarios:

• Microservices access occurs through clients, which can be public or confidential, first-party or third-party, internal or external.
• Access scenarios range from basic user interactions to advanced delegated access and machine-to-machine communication, necessitating diverse security controls.

OAuth in Access Control:

• OAuth plays a crucial role in handling access scenarios by determining the flow a client uses to obtain an access token based on the specific scenario.
• Access control decisions are made based on tokens, and IAM platforms often integrate OAuth standards for secure handling.

Security Best Practices:

• Building security controls from expert providers, such as IAM platforms and API gateways, is recommended over developing custom solutions.
• IAM platforms offer features like multi-factor authentication, identity management, and adherence to security standards, contributing to robust microservices security.

Visibility and Monitoring:

• API gateways provide visibility into microservices traffic, aiding in monitoring and tracing for security incident investigation.
• Developer portals in API gateways facilitate secure client registration and API consumption, aligning with IAM platform standards.

Consideration for Third-Party Clients:

• Security controls for microservices may be more stringent for third-party clients, considering the lack of control over their security policies.
• Some organizations implement strategies where first-party clients must meet similar stringent security controls as third parties.

Integration of Platforms:

• There may be some overlap in capabilities between IAM platforms and API gateways, and integrating both is common for comprehensive microservices security.
• Careful assessment and selection of IAM platforms and API gateways based on organizational needs and policies are crucial.

Token-Based Security and Standards

Token-based security is fundamental for microservices architecture, addressing challenges in identity, access control, and secure communication.

Tokens:

• Tokens play a vital role in microservices, addressing challenges in distributed systems, avoiding shared sessions, and eliminating the need to pass user credentials between services. Two token formats: Reference (opaque, metadata stored at the authorization server) and Structured (metadata in the token payload, often in JSON Web Token - JWT - format).

OAuth 2:

• OAuth 2 is a key authorization standard supporting token-based security in microservices. Four roles: Resource Owner, Resource Server, Authorization Server, and Client. Flexibility in grant types (authorization code, client credentials) allows tailoring to specific use cases.

Issuing Tokens:

• Access tokens are issued to clients after authentication and consent from the resource owner. Refresh tokens facilitate obtaining new access tokens without resource owner involvement. Token expiration and short-lived access contribute to better security.

Issuing Identity Tokens with OIDC:

• OpenID Connect (OIDC) adds an identity layer to OAuth 2, addressing authentication and user profile information. OIDC introduces an identity provider, enabling multiple clients to leverage the same authentication service.

Token Validation:

• Tokens must be validated for authenticity before granting access to microservices. Reference tokens introspect at the authorization server, while structured tokens involve complex validation based on JSON object signing and encryption specifications (JOSE).

Token Maintenance and Protection:

• Tokens have a lifecycle with optional maintenance activities before expiration. Best practices include short-lived access tokens, secure handling of refresh tokens, and protection against compromise. Token revocation is challenging but necessary in cases of compromise or when access needs to be terminated.

Security between Microservices

Zero Trust Microservices:

• Enforce a zero-trust architecture where microservices validate the identity of calling parties, adhering to the concept of defense in depth.
• Do not trust network segments; establish trust boundaries at the microservice level.

Mutual TLS (mTLS) for Secure Communication:

• Implement Mutual TLS as a common and effective approach to secure microservices communication.
• Utilize digital certificates to authenticate both parties, ensuring secure and verified interactions.

Certificates Management Challenges:

• Address challenges in managing and provisioning certificates, especially in ephemeral container environments.
• Leverage automation, container orchestrators, and service meshes for efficient certificate handling.

Securing Internal API Gateway Communication:

• Extend Mutual TLS to secure communication between microservices and the API gateway.
• API gateway serves as an additional layer of defense, requiring trusted digital certificates for secure communication.

East to West Traffic Security:

• Prioritize security concerns related to internal traffic within the microservices architecture (east to west).
• Implement depth in defense by ensuring microservices verify identities and maintain information integrity in internal communication.

Comprehensive Monitoring and Logging:

• Establish robust monitoring and logging practices for microservices, enhancing visibility into system activities.
• Use correlation IDs for tracing events across distributed microservices, aiding in security inquiries and incident response.

Centralized Logging and Automated Monitoring:

• Centralize logs for microservices in a common location for easy analysis and monitoring.
• Implement automated monitoring to identify and alert on suspicious behavior, focusing on issues like failed mutual TLS and potential attacks.

Throttling and Rate Limiting:

• Apply throttling and rate limiting strategies to control API usage and prevent system overload.
• Use quotas and rate limits per client or API operation to ensure fair resource distribution and prevent abuse.

Observability and Tracing:

• Enhance observability through standardized logging structures across microservices.
• Utilize tracing with correlation IDs to aggregate system activities into meaningful events for improved security analysis.

In summary, a holistic approach to microservices security, spanning identity, communication, access controls, runtime, and continuous monitoring, is crucial for a resilient and secure microservices architecture.