A microservice architecture brings new challenges to API Security and careful design needs to be applied at operations and development level to ensure corporate data is properly protected from unwanted access.
In this session we explain what API security encompasses, why API security needs to be considered as early as possible in the lifecycle of the microservices, how known standards such as OAuth and OpenID Connect can be leveraged to authenticate and authorize access to microservices and give practical examples and recommendations for the design and deployment of microservice architectures.
I.1. Micro-services concepts: what is it?
Microservices-based application system:
Ú Multiple components (microservices) that communicate with each other using
RPC (synchronous ) or messaging system (asynchronous).
Ú Each microservice implements one distinct business process or functionality.
Ú Each microservice is a mini-application
– implements its own business logic
– various adapters for carrying out functions such as database access and messaging
Ú Most microservices expose a RESTful API
Ú Often cloud native (Kubernetes like infrastructures) and deployed in the cloud
Ú DevOps processes -> SECDevOps
I.2. Micro-services concepts: design goals
Ú Is developed, secured, deployed by a single SecDevOps team.
Ú Is operated (managed, replicated, scaled, upgraded, …) independently of other
Ú Exposes a single function.
Ú Are as stateless as possible.
Ú No coupling
Ú Alignment with business processes
I.3. Micro-services concepts: architecture
Two main architectural frameworks:
Ú API Gateway based
Ú Service mesh based (Istio like infrastructures)
– Data plane with side-car proxies
– Control plane (monitoring, key service, routing, service registration etc)
We advise to use both!
Ú An API Gateway to act as the Ingress controller
– Using opaque access tokens for external consumption
– Exchanging opaque tokens against JWTs for internal services consumption
Ú Micro API Firewalls as last mile security PEPs -> Defense in-depth is key!!!
I.4. Advised architecture
II.1 Micro-services : Security challenges
“I have SSL/TLS and OAuth in place, isn't that enough ??! “
Too many customers…
II.2. Micro-services Security: Security challenges
(Validation and OIDC
Data has not been
Data can’t be seen in
III.1. From DevOps to SecDevOps
Continuous API hardening
including API fuzzing
Deploy to containerised
Configure and apply
security policies from
Assess API description
and evaluate risk level
Develop and document API
IV.1. Good papers on micro-services security
Ú NIST Draft on Security Strategies to secure Microservices-based Application
Ú CA Securing Microservices APIs document