Microservices Security Fundamentals MICROSERVICES SECURITY CHALLENGES Wojciech Lesniak PRINCIPAL DEVELOPER / TECH LEAD @voit3k
Microservices International Data Corporation (IDC) predicts that by: 2019 Q1
Microservices International Data Corporation (IDC) predicts that by: 90% 2022 Of all applications will feature microservices architectures that improve the ability to design, debug, update, and leverage third-party code. Q2
Flexibility a Microservices Architecture Polyglot Agile Teams Independent Each service can Smaller independent Developed, deployed implement its own Teams and scaled technology stack independently
Microservices the promised land
Microservices Architecture Patterns API Gateway Service Distributed Client load discovery tracing balancing
How do you secure your Microservices without ? Stifling team productivity. Reduce the performance or time to market of the application. Negating any of the benefits a microservices architecture.
Bugs in Microservices Fix, test and deploy the offending microservice.
Fail Fast Fail Early Fail Often
Consequences of Security Breaches Reputational and brand Legal issues damage Bankruptcy Loss of trust Financial loss Negative headlines
There are also tried and tested best practices and architectural patterns you can use to solve the security challenges within your Microservices architecture.
DevOps: Security is now everyone's responsibility.....
Your Security Implementation Should Not Be Draconian Excessively harsh, severe and lock everything down
The Challenges of Microservices Security
Contrast Security Challenges Monolith Microservices
Security Fundamentals and Prevention - the various techniques and patterns you can use secure your microservices architecture.
Hackers Are Lazy
Detection Identifying security vulnerabilities throughout the development lifestyle. Monitoring and identifying security breaches. Reacting to security breaches.
Engrain a Security Culture within Your Development Teams Threat Modelling Prioritize security vulnerabilities
Defenc nce i in D n Depth Is an information assurance concept in which multiple layers of security controls (defence) are placed throughout an information technology (IT) system. Also known as a castle approach.
Monolith Microservices
Contrast Security Challenges Monolith Microservices
Monolith Microservices
Mono nolith th PORT : 80 HTML REST Smaller attack surface. Session In-process communication between components is more in-process Portfolio Support secure. User context is stored centrally, Pricing Account easily retrievable and trusted. Data Access
Microservices REST REST REST Portfolio Account Support Data Data Data Access Access Access REST Pricing Data Access
Confused Deputy Victoria REST REST GET: /victoria GET: /joe HTML JS Portfolio Account Data Data Service Access Access
Bootstrapping Secrets REST REST REST REST Portfolio Account Support Pricing Data Data Data Data Access Access Access Access Env variables Env variables Env variables Env variables
Secret Sprawl Source control Env variables Property file Configuration management Source code
Immutable Server Challenges with immutable servers - Secrets and whitelists cannot be maintained on the servers file system. Docker Container Microservice REST Portfolio Data Access
Security is not just authentication and authorization, it’s also quality of service
Denial of Service
Netflix Microservices Architecture
Monitoring and Tracing Queue
Queue
Challenges due to polyglot Challenges due to polyglot mic icroser ervic ices es a archit itec ectures es. Requires security expertise for each technology. Maintaining multiple sets of security best practices and Queue guidelines for each technology. Keeping up with security patches.
Your Microservices security implementation should not: - Resemble a monolith. Key Takeways - Prevent your service from being scaled and deployed independently. - Degrade your applications performance. - Stifle team productivity. - Prevent or restrict your teams from experimenting and selecting different technology stacks.
Recommend
More recommend
