Securing the Perimeter around Your Microservices Wojciech Lesniak - - PowerPoint PPT Presentation

@voit3k

AUTHOR

Wojciech Lesniak

Securing the Perimeter around Your Microservices

Basic authentication

Module Overview

Certificates Tokens, JWT Oauth2, OpenID Connect

Microservices Identity provider API Gateway

Challenges with Edge Security

External API consumers

Human (User) Non-human (Service or system)

Type of API Consumer

Authe uthenti nticati tion The process of identifying who the consumer is. Autho uthoriza zati tion The process of identifying what the consumer can do.

Authentication / Authorization

Every user or service consumer has the bare minimum privileges which are essential to perform their tasks.

Principal of Least Privilege

Principal of Least Privilege

Limits the blast radius of any compromise to your system.

Human (User) Non-human (Service or system)

Type of API Consumer

Human Users

Client Victoria /victoria Microservice

Can you trust that the client is in-fact acting

• n behalf of the user and has their consent

to do so?

Delegation Problem

Proprietary data User data User Clients

Authenticate user (resource owner) Get their consent to authorize client access to their resources

Delegated Access

Delegated Authorization

Victoria Joe Withdraw Delegate

API Gateway: Exposing Your API Securely

Data Access Support REST Data Access Portfolio REST

Transition to Microservices

Data Access Pricing REST Data Access Pricing Support HTML Portfolio REST

PORT: 80

Account

in-process

Session

PORT: 8080 PORT: 8081 PORT: 8082

Data Access Support REST Data Access Portfolio REST Data Access Pricing REST

PORT: 8080 PORT: 8081 PORT: 8082

Clients Microservices

Data Access Support REST Data Access Portfolio REST Data Access Pricing REST

PORT: 8080 PORT: 8081 PORT: 8082

Clients Microservices API Gateway

Audit logs QOS checks Throttling DOS prevention

Development team can focus more on business requirements rather then non- functional security requirements.

Each microservice should perform one function and do it well.

Single Responsibility Principal

Benefits of an API Gateway

Avoids the need for shared libraries making

• ur architecture polyglot.

Defensive Structures

Basic- username / password Static API key Client id and client secret OpenID connect SAML Fingerprinting Certificates

Clients

API Gateway Firewall MITM API Gateway API Gateway API Gateway

Considering Basic Authentication

Basic Authentication

username:password

dXNlcm5hbWU6cGFzc3dvcmQK

Base64 encoded

He Heade der na name me Va Value Authorization Basic dXNlcm5hbWU6cGFzc3dvcmQK

Authentication is more complex then just a username and password, requiring 2 Factor or Multifactor.

Why Basic Is Not Suitable for Microservices

For persistent login the credentials would have to be stored on the client. In a distributed system, credentials are exposed to multiple services. Delegation can only be done by requesting the users credentials.

Authenticating Clients with Certificates

Data Access Support REST Data Access Portfolio REST Data Access Pricing REST

PORT: 8080 PORT: 8081 PORT: 8082

Clients Microservices

API Gateway Firewall MITM

At minimum TLS 1.2 or higher

Public / private key, signed by CA

Certificate Authority Client

Public / private key, signed by CA

API Gateway mTLS

Transport Layer Security (TLS)

Certificate issuers by CA CA public key, verify server

Challenges with mTLS

Does not solve the delegated access or the confused deputy problem. You have to maintain a Public Key Infrastructure and your Certificate Authority. Key provisioning, bootstrapping, and rotation, and invalidating keys can be challenging as the number of clients and services increases.

Introducing Tokens

Clients Microservices

API Gateway Firewall Authenticate Portfolio Support Pricing STS Introspection Get resource

Name: Victoria Email: vic@email.com

Opaque Tokens – by Reference

1234567 Id:1234567 Identity Provider

A security token with the property that any party in possession of the token (a "bearer") can use the token in the same way that any other party with possession can.

Bearer T

• ken

Benefits of Tokens

Microservices are never exposed to the users or clients password. “Single responsibility Principal” your microservices development teams don’t need to focus on non-functional security requirements. Tokens can be used to provide delegated authorization.

Identity Provider

Human user like Victoria

Subject – Entity Requesting Access

Machine Software

Username: victoriaN name: Victoria Smith dob: 15/05/1988 Email: vic@send.com Address: 1 Bond st London gender: Female Username: victoriaN Email: vic@send.com Address: 1 Bond st London gender: Female dob: 15/05/1988 name: Victoria Smith name: Victoria Smith Address: 1 Bond st London gender: Female dob: 15/05/1988

Subject Principals

Coupling Application and Identity data

Data Access Support REST Data Access Portfolio REST principal principal principal Get principal Get principal Get principal

sync sync

API Gateway application application

Micros

• serv

rvices (Ex (Except pt for the

• r the D

Data ta)

Data Access Support REST Data Access Portfolio REST principal API Gateway Monolithic data store App data App data Get principal Get principal Get principal

A service that manages the creation, maintenance of identity information for principals.

Identity Provider

Manage and provider single sign in for all users in your applications, systems, and networks centrally.

Authentication as a service (AaaS)

Clients Microservices

API Gateway Firewall Authenticate Portfolio Support Pricing Identity provider STS Authz Server Verify Get resource

Identity Provider

Victoria Client API Gateway Microservices Portfolio Support Pricing /portfolio 401 Unauthorized

Relaying Party

Victoria Client API Gateway Microservices Portfolio Support Pricing Identity provider LDAP principal /portfolio

Identity Provider Can Become a Bottleneck

Identity provider verify

By-value Tokens

By-value Token

username: victoria name: Victoria Lesniak Derpartment: reserch

Claims define what the subject is and is not.

Claims-based identity

By-value Token

username: victoria name: Victoria Lesniak derpartment: reserch

Identity provider LDAP principal

Signed with providers private key

A signed token without the expiration date is worse than a password.

What format should your by-value token be?

A standard token format.

Answer

Different Token Formats Introduce Complexity

1990s

Kerberos Protocol specific

2002

SAML Protocol specific

2015

JWT Protocol agnostic

Evolution of Security Tokens

1990s

Kerberos Protocol specific

2002

SAML Protocol specific

2015

JWT Protocol agnostic

Evolution of Security Tokens

1990s

Kerberos Protocol specific

2002

SAML Protocol specific

2015

JWT Protocol agnostic

Evolution of Security Tokens

JSON Web Token (JWT)

JWT Optional Standard Claims

Cla laim im Desc scripti ption jti Unique token identifier iss Issuer – who issued the token sub Subject – Who the claims represent. aud Audience – The recipient the token was meant for. exp Expiration – Until when the token is valid iat Issued at – The time the token was issued.

JWTs can also be encrypted to prevent the content being read by unwanted parties, using the JSON Web Encryption (JWE) specification.

Javascript Object Signing and Encryption (JOSE)

JSON Web Token (JWT)

(JWA) JSON Web Algorithm (JWS) JSON Web Signature (JWE) JSON Web Encryption

Delegated Authorization with OAuth2

OAuth2 is an open standard used to allow entities to grant limited access to their resources, without sharing their credentials.

Open Authorization (OAuth2)

Actors in OAuth

Protected resource Resource Owner

• wns

Resource server protects Client Issues access token to client Authorization server

OAuth2 Authorization Code Grant

Crypto Portfolio User Browser

client id secret client id secret

• 1. Sign-in
• 2. Redirect to auth-server <client id>
• 7. Forward auth code
• 11. /portfolio

Victoria Client

Authorization server Resource Server

https/ /auth-server-uri/ ?client_id=crypto-portfolio&scope=profile,portfolio&response_type=code &redirect_uri=crypto-portfolio-uri&state=987654 Crypto Portfolio would like to access your profile and portfolio data. Approve https/ / crypto-portfolio-redirect-uri /?code=123456&state=987654 http POST: code:123456 client_id: crypto-portfolio client_secret: secret

Other Grant Types

Client credentials

Sign-in with OAuth2

The Reasons for OpenID Connect

OAuth2 is for delegated authorization and not designed for authentication.

Proprietary data User data User Clients

Authenticate user (resource owner) Get their consent to authorize client access to their resources

Delegated Access

User data

Authentication with OAuth2

id: victoria name: Victoria Lesniak email: vic@email.com

Victoria Client Oauth2 Session victoria

OAuth2 is proof of possession not proof of identity.

OIDC – Authentication layer OAuth2 – Delegated authorization

Options for API Gateway and Authorization Server

API Gateway Options

Spring Cloud Gateway

Identity Provider / Authorization Server

Cloud Foundry UAA Gluu Keycloak

Opensource. 3M+ downloads. Built on top of NGINX. Offers 60+ plugins. Sub millisecond latency. Platform agnostic, scalable. Adopted by many global enterprises.

Recap

Wrap up

Data Access Support REST Data Access Portfolio REST Data Access Pricing REST

PORT: 8080 PORT: 8081 PORT: 8082

Clients Microservices

API Gateway Firewall Authz provider authenticate verify

Defence in depth Zero trust

Service-to-Service Security