These slides contains my notes on what are the security consideration w.r.t Micro services and Multi Cloud. I am still working on this part. It is just a comprehension of whatever I have studied so far.

1. Designing Security for Multi-Cloud and Microservices
Neelkamal Gaharwar

2. Micro services with Pros and Cons
Security Concern for Micro-Services
Multi-Cloud – What & Why
Multi-Cloud Security Concerns
Multi-Cloud Security Solution
Contents

3. What are Micro servicesDashboard
App Tier
User Account
Order
Product
Payment
DB Tier
Dashboard
User
Account
Order
Product
Payment
Monolithic Services
Micro Services

4. Micro services
Dashboard
User
Account
Order
Product
Payment
Micro Services
• An architectural style
• Collection of Loosely coupled services
accessible via API
• Clearly defined interface
• Each service runs as
➢ unique process
➢ usually manages its own database.
• Can be implemented using different
➢ programming languages
➢ Databases
➢ software environment.
➢ Stateless
“One at a time”

5. Micro Services
✓ Smaller Development Cycle
✓ Improves fault resolution
✓ No long-term technology
commitment
✓ Faster and reliable deployment
✓ Increase Uptime
✓ Service Reuse
✓ Scalable and better performance
✓ Better ownership and knowledge
✓ More Security
Pros
Dashboard
User
Account
Order
Product
Payment
Micro Services
Security Pros
• Compromising one service
will not expose entire system
• Defence-in-depth

6. Micro Services
✓ Manage Multiple distributed Systems
✓ Manage multiple Remote API Calls
✓ Manage multiple Databases
✓ Difficult to Test
✓ Issues with Deployment – Holistic
View
Cons
Dashboard
User
Account
Order
Product
Payment
Micro Services

7. Security Considerations For Micro
Services

8. Security Considerations – Accessibility
• With micro services internal calls are converted into
Remote API calls
• Use of weak or old passwords could be critical threat
now as interfaces accessible User Account
Order
Product
Payment

9. Security Considerations – Accessibility
Most Popular Action after
successful Hack???

10. Security Considerations – Access Control - Solutions
• Solutions
– Long phrase make password strong
• User Should be allowed to use long
passwords like phrases (64 chars by NIST)
• Password should not be truncated if they
exceed maximum password limit
• Eliminate complex rules
– Do not force password reset
• Inform user about login attempts on their
account
– Prevent user from selecting password from list of
Breached passwords
– Embrace use of password managers
User Account
Order
Product
Payment
https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
https://www.troyhunt.com/password-strength-indicators-help-people-make-dumb-choices/

11. Security Considerations – Credentials Management
• Lots of secrets !!!
• Secure the keys
– Distributed
• Worsened the Situation
• Difficult to revoked leaked credentials
• Expose credentials to everyone
– Centralized
• Vault - Keep secret A SECRET
• Allow to issue timed credentials
• Keep a record of
– Who used credentials
– For what duration
– No. of times request made
• Easy to Rotate
User Account
Order
Product
Payment
SSH Keys
DB credentialsTLS
Certificates
API Secret
Keys
Environment
Variables

12. Security Considerations – Patch Management
• Different Layers to cover
• Opportunity for implementing defence in depth
Hardware
Operating System
Hyper visor
VM 1 VM 2
OS
Container
OS
App
DB
DB
DB

13. Security Considerations – Patch Management
• Based on you deployment model you can get help
– Cloud Provider will take care
• IaaS
Hardware
Operating System
Hyper visor
VM 1 VM 2
OS
Container
OS
App
DB
DB
DB
IaaS

14. Security Considerations – Patch Management
• Based on you deployment model you can get help
– Cloud Provider will take care
• IaaS
• PaaS
Hardware
Operating System
Hyper visor
VM 1 VM 2
OS
Container
OS
App
DB
DB
DB
PaaS

15. Security Considerations – Patch Management
• Based on you deployment model you can get help
– Cloud Provider will take care
• IaaS
• PaaS
• Serverless Logic
Hardware
Operating System
Hyper visor
VM 1 VM 2
OS
Container
OS
App
DB
DB
DB
ServerLess Logic

16. Security Considerations – Authentication & Authorization
User Account
Order
User Account
3rd Party
User Account
Mutual Authentication 3rd Party Authentication User Authentication
Order

17. Security Considerations – Authentication & Authorization
User Account
User Authentication
• Micro Services are Stateless
• Require separate mechanism for user authentication
• Possible Solutions
Distributed Session
Management
• Different Session based Solution -
•Server can store user specific session
•Each server knows all session details
•Centralized Server for managing server
• Session based solution will eventually
•lead to dependency on any of the server
•Create Bottleneck in the network
Token Based
Authentication
• Authenticate user via token like via JWT
• Self containing – no call to server once issued
• Lack of control on the token
Token With API
Gateway
• Generates Opaque token against access token
• Access token never revealed
• Allows option to revoke token when require
• Allows to control user access to a particular API
Order

18. Security Concerns – Authentication & Authorization
Mutual Authentication
User Account
Order
Product
Payment

19. Security Concerns – Authentication & Authorization
Mutual Authentication
• Services might be running on the
– Same Machine
– Across network
• End point authentication required
• TLS solves this issue
– Protects data confidentiality
– Mutual certification validation helps with
identity validation
• Separate certificate for each service
• Problem
– Too many services Too many certificates
to manage
• Private Certificate Centre can help
User Account
Order
Product
Payment

20. Security Considerations – Authentication & Authorization
User Account
3rd Party
3rd Party Authentication
• Granting access to 3rd party??
– Consider Authentication
– What they can access
• OAuth
• API Token

21. Security Considerations – Input Validation
Scenarios –
• Unsafe Deserialization

22. Multi Cloud

23. Multi Cloud – What & Why
• A multi-cloud strategy is the use of two or more cloud
computing services.
• A mix of public infrastructure as a service (IaaS)
environments, such as Amazon Web Services and Microsoft
Azure
What
• A way to prevent data loss or downtime due to a localized
component failure in the cloud.
• Use of more price-competitive cloud services
• Taking advantage of the speed, capacity or features offered
by a particular cloud provider in a particular geography.
• Compliance - enterprise data to physically reside in certain
location
Why

24. Multi Cloud Security Consideration
• Isolated Clouds Are Less Secure
– multiple secure clouds are not the same thing as a
secure multi-cloud.
• Poor visibility.
– o see into each cloud individually, but not into all clouds
at once, with no comprehensive view
• Lack of Coordination
– Isolated clouds PREVENT integration between security
functions and centralized orchestration. Thus preventing
coordinated response to mitigate the impact
• High TCO(Total Cost of Ownership) and reactive Security
– Spending hours matching and aggregating data from
different cloud management portals and then deciding
on appropriate actions takes time
• Example –
• Financial Services: Digital Transformation in the
Cloud
• Robust security provisions, such as Salesforce Trust and Fiserv’s
Sentry, are meant to allay security concerns.
• But it’s up to the bank’s security team, however, to figure out
whether the standards provided by these security provisions
match those of their internal network, and whether they can
ensure PCI compliance when personally identifiable data
traverses multiple cloud boundaries
• Education: Resourced Constrained
• Healthcare: IoMT Threats

25. Multi Cloud Security Solution
• Avoid ShadowOps
• Prioritize Visibility
– Solution that offers deep visibility, ideally at the
workload layer.
– Signature-based monitoring is not enough in the cloud.
Focus on behavior-based monitoring for detecting
anomalous behavior
• Uphold the Shared Responsibility Model
– make sure you understand the shared responsibility
model.
– If someone logs into production without permissions
and does something to put your organization at risk,
that’s on you.
• Focus on Automation
• We recommend that organizations leverage automation to
become secure by design

26. Thank You