Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

API Security in a Microservices World


Published on

A microservice architecture brings new challenges to API Security and careful design needs to be applied at operations and development level to ensure corporate data is properly protected from unwanted access.

In this session we explain what API security encompasses, why API security needs to be considered as early as possible in the lifecycle of the microservices, how known standards such as OAuth and OpenID Connect can be leveraged to authenticate and authorize access to microservices and give practical examples and recommendations for the design and deployment of microservice architectures.

Published in: Software
  • Login to see the comments

API Security in a Microservices World

  1. 1. 6/20/191 API Security in a micro-services world
  2. 2. 6/20/19 I. Micro-services concepts
  3. 3. 6/20/19 I.1. Micro-services concepts: what is it? Microservices-based application system: Ú Multiple components (microservices) that communicate with each other using RPC (synchronous ) or messaging system (asynchronous). Ú Each microservice implements one distinct business process or functionality. Ú Each microservice is a mini-application – implements its own business logic – various adapters for carrying out functions such as database access and messaging Ú Most microservices expose a RESTful API Ú Often cloud native (Kubernetes like infrastructures) and deployed in the cloud Ú DevOps processes -> SECDevOps
  4. 4. 6/20/19 I.2. Micro-services concepts: design goals Each micro-service: Ú Is developed, secured, deployed by a single SecDevOps team. Ú Is operated (managed, replicated, scaled, upgraded, …) independently of other microservices. Ú Exposes a single function. Ú Are as stateless as possible. Which provides: Ú Autonomy Ú No coupling Ú Composability Ú Alignment with business processes
  5. 5. 6/20/19 I.3. Micro-services concepts: architecture Two main architectural frameworks: Ú API Gateway based Ú Service mesh based (Istio like infrastructures) – Data plane with side-car proxies – Control plane (monitoring, key service, routing, service registration etc) We advise to use both! Ú An API Gateway to act as the Ingress controller – Using opaque access tokens for external consumption – Exchanging opaque tokens against JWTs for internal services consumption Ú Micro API Firewalls as last mile security PEPs -> Defense in-depth is key!!!
  6. 6. 6/20/19 I.4. Advised architecture A P I G a t e w a y µAPIFW µAPIFW
  7. 7. 6/20/19 II. Security Challenges
  8. 8. 6/20/19 II.1 Micro-services : Security challenges “I have SSL/TLS and OAuth in place, isn't that enough ??! “ Too many customers…
  9. 9. II.2. Micro-services Security: Security challenges Authentication (Validation and OIDC Flows) Integrity Data has not been tampered with Audit (Forensics) Confidentiality Data can’t be seen in flight Availability (Rate Limiting) Authorization (Access Control and OAuth flows) Non Repudiation (Legal Compliance) Traffic Validation (Attacks Protection) 6/20/19
  10. 10. II.3. Real-life example: FAPI Financial APIS Security Profile Auth Grant Types OpenID Connect Flows TLS Settings Message Confidentiality Non-Repudiation Message Integrity 6/20/19
  11. 11. 6/20/19 III. Organisational Challenges
  12. 12. 6/20/19 III.1. From DevOps to SecDevOps Monitor Develop Monitor Security Vulnerabilities and runtime behaviour Scan Continuous API hardening including API fuzzing Deploy Deploy to containerised PEP Protect Configure and apply security policies from assessed risk Audit Assess API description and evaluate risk level Develop and document API with OpenAPI/Swagger
  13. 13. 6/20/19 IV. Food for thoughts
  14. 14. 6/20/19 IV.1. Good papers on micro-services security Ú NIST Draft on Security Strategies to secure Microservices-based Application Systems ( draft.pdf). Ú CA Securing Microservices APIs document ( apis-sustainable-and-scalable-access-control.pdf)