SlideShare a Scribd company logo

API Security in a Microservice Architecture

Download as PPTX, PDF
M
Matt McLarty

This presentation was given at the O'Reilly Software Architecture Conference in New York on Feb. 28, 2018. It gives an overview of the new book, Securing Microservice APIs. Download available here: https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html

Technology
1 of 43
API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb. 28, 2018
Agenda  Purpose and Goals  Background  Current Approaches - Network-level Controls - Application-level Controls - Emerging Approaches  Proposed Approach - Domain Hierarchy Access Regulation for Microservice Architecture (DHARMA) - Platform-Independent DHARMA Implementation  What Next?
About Matt McLarty  Vice President of the API Academy (CA Technologies)  Co-author of Microservice Architecture from O’Reilly  Instructor for Microservices for the Enterprise O’Reilly training  20+ years in development, enterprise IT, software architecture  Architect, writer, speaker  Live in Vancouver, BC, Canada
O’Reilly Report https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html
Goals Primary  Create a comprehensive “literature review” for Microservice API Security  Define a general model for API access control applicable to microservices  Refine the general model for practical use in a microservice architecture  Anticipate the next level of problems and solutions required for microservice API security Secondary  Help to develop a common language for microservices and distributed systems in general  With Fielding as inspiration, try to define a methodology for general solutions like this
Some background…
Microservice Architecture Characteristics Service orientation Independent deployability and manageability Ephemerality and elasticity Web API communication Container-based deployment
Microservice API Terminology  Service - Service Instance  API - API Endpoint  API Request  API Response  API Consumer  API Provider  API Intermediary - API Gateway - Service Proxy
The Microservice API Landscape
IAAA Framework for Microservice APIs •Must support multiple identities and attributes (end users, system components, domains)Identification •Must support multiple authentication methods as well as delegated authenticationAuthentication •Authorization for a single request may be decided at multiple points in the request pathAuthorization •Capture of relevant security data or metadata from API messagesAccountability
Current approaches…
About Trust  Trust is fundamental in distributed systems  Implicit trust is everywhere! - e.g. network isolation  Trust is about understanding and compromise Trusted communication should be more efficient than untrusted
Network-Level Controls Localhost isolation Network segmentation SSL/TLS
SPIFFE  “Secure Production Identity Framework for Everyone”  PKI functions for ephemeral environments  SVID’s - “SPIFFE Verifiable Identity Documents” - Identity for services and other components  SPIRE - “SPIFFE Runtime Environment” - Agent/Server architecture
Application-Level Controls – Traditional Web Tokens Cookie-based Sessions  Can have a role as long as storage is performant and scalable  Session ID open to hijack  Sessions do not cross security domains SAML  Some concepts useful  Too centralized and heavy for microservice architectures  Does not support delegation
Application-Level Controls – API-oriented Tokens API Keys  An application identifier, not a security mechanism! OAuth 2.0  Framework for API authorization, supports delegation  Agnostic of token types OpenID Connect  Extends Oauth 2.0 with ID Token JWT  Packaging format for exchanging claims  Convenient and popular in practice
Application-Level Controls –Token Types Opaque (“by-reference”) tokens  Indecipherable to third parties, but require centralized management Transparent (“by-value”) tokens  Management can be decentralized, but accessible to third parties
Infrastructure – API Intermediaries  API Gateway - “North-south” (proxies consumer-to-provider) - Centralized at the perimeter - Fully-featured  Service Proxy - “East-west” (proxies service-to-service) - Local to service (sidecar) - Streamlined https://abhishek-tiwari.com/a-sidecar-for-your-service-mesh/
Infrastructure – Network Overlays  Platform-specific capabilities  Open source projects - OpenContrail, Romana: network overlays - Project Calico: native support for Docker, Kubernetes, Mesos - Cilium: uses Linux kernel modifications
Infrastructure – Platform Capabilities Kubernetes  Network rules restrict communication between various abstractions: clusters, nodes, pods, services  Authentication ultimately left to application logic Cloud Foundry  UAA for user authentication (OAuth 2.0 with JWT’s)  Multiple options for network ACL’s AWS  Built-in proprietary IAM and certificate management  API access control generally left to application logic
Emerging Approaches – Service Mesh  Both an emerging and a time-worn concept   In practice, network of service proxies  In theory, general policy enforcement for “the system” - Routing, service level management, security  Sample implementation: Istio - “Control plane” for the service mesh - Istio-Auth for authentication, using SPIFFE
Emerging Approaches – Serverless  Constrained but convenient - Less access to infrastructure configuration - Distinction between functions and communication  Access control tied to platform - e.g. AWS Lambda tied to AWS IAM + AWS API Gateway
A Proposed Approach…
Common Patterns in Microservice API Security  “Zero trust” not a common practice due to inefficiency  Many multi-faceted approaches with heterogeneous parts  Many platform-specific capabilities  Binary pattern: - “Fast lane” for traffic based on trust - “Slow lane” for untrusted traffic requiring authentication
Domain Hierarchy Access Regulation for Microservice Architecture (DHARMA) A multi-cloud approach to API security in a microservice architecture Applicable at any level of the architecture Agnostic of domain methodology
What’s in a name? Dharma n. – The principle of cosmic order - We want order in a complex system Significant concept in multiple religions - We want a multi-cloud solution Wheel of Dharma: - Helm of Kubernetes: (And NO… this has nothing to do with the show “Lost”!)
DHARMA Foundational Concepts Concept Definition Trust Domain A set of services that communicate with each other in a privileged way Domain Relation The reason for a domain’s services to be grouped together Trust Mechanism The method used by services within the domain to verify that an API request is coming from a trusted source Access Mechanism The method that allows API requests from outside the domain to be authenticated and authorized Interior Endpoint An API endpoint that is accessible to other services within the domain, authorized through the domain’s trust mechanism Boundary Endpoint An API endpoint that is accessible to services outside the domain, authorized through the domain’s access mechanism Hierarchical Endpoint An API endpoint that is an interior endpoint for one domain and a boundary endpoint for another
DHARMA Request Flow – Single domain
DHARMA Request Flow – Two domains in a hierarchy
A DHARMA Design Methodology Identify trust domains Define trust and access mechanisms Determine interior and boundary endpoints Select domain implementation platforms
Platform-Independent DHARMA Implementation Domain Hierarchy Unbounded Area Outer Domain Inner Domain •External consumers •Beyond org’s control •Public services •Experience-oriented •Private services •Logic-, data-oriented
Platform-Independent DHARMA Implementation Domain Access Mechanism Trust Mechanism Outer Domain OAuth 2.0, opaque access token Signed JWT using org- issued certificate Inner Domain Signed JWT using org- issued certificate Network isolation, optionally propagated JWT
Platform-Independent DHARMA Implementation Implementation considerations Certificate management Token management Component provisioning Service and endpoint deployment Accountability
Platform-Independent DHARMA Implementation Interaction Identification Authentication Authorization External Client Request External client obtains access token from authorization server, sends on API request to outer domain boundary endpoint Receiving API Gateway sends access token to authorization server for validation Authorization server validates access token, exchanges for JWT which is sent back to API Gateway, which forwards request to service’s interior endpoint Outer Domain Service-to-Service Request OR Outer Domain-to-Inner Domain Request Service consumer either sends previously obtained JWT, or obtains new JWT from Authorization Server and sends on API request to outer domain interior endpoint/inner domain boundary endpoint Receiving service proxy validates token signature and certificate chain Service checks JWT claims and processes accordingly Inner Domain Service-to-Service Request Service consumer either sends previously obtained JWT, or obtains new JWT from local secure token service and sends on API request Trusted based on network isolation Service checks JWT claims and processes accordingly
Platform-Independent DHARMA Implementation 1. API request with valid Oauth 2.0 access token 2. API request with signed JWT (domain CA-issued certificate) 3. API request with JWT for accounting, not authorization 4. Token dereferencing/validation/exchange
DHARMA Developer Experience •Service developers should only need to consider deployment domain, claim-related authorization logic, and API message auditing within the service Enabling Access Control for a Service/API •Policies should be articulated clearly, platform agnostic (e.g. OpenAPI) •Provide tooling for API consumers Publishing and Discovering API Access Control Policies •Organization-wide policies enforced by API intermediaries for ease of change Access Control Policy Change Management
What next?
Standardizing the Language of Microservices
Refining DHARMA Vetting the implementation example Platform-specific implementations Re-casting existing security approaches
Extending DHARMA Metadata for interoperability Other synchronous protocols (e.g. gRPC, GraphQL) Event-based/reactive systems (e.g. Kafka)
Conclusion API security is essential in a microservice architecture A wide variety of current approaches are in use, based on networks, tokens, platforms and solutions DHARMA offers an adaptable methodology for API access control in a microservice architecture Lots of room to evolve and refine DHARMA to cover other gaps in the microservice API security landscape
Questions?
Vice President, API Academy, CA Technologies matthew.mclarty@ca.com Matt McLarty @mattmclartybc www.slideshare.net/MattMcLarty linkedin.com/in/mattmclartybc apiacademy.co Thank You!

Recommended

Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
02 api gateway
02 api gateway02 api gateway
02 api gatewayJanani Velmurugan
 
SpringBoot 3 Observability
SpringBoot 3 ObservabilitySpringBoot 3 Observability
SpringBoot 3 ObservabilityKnoldus Inc.
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0WSO2
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaAIMDek Technologies
 

Recommended

Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
02 api gateway
02 api gateway02 api gateway
02 api gatewayJanani Velmurugan
 
SpringBoot 3 Observability
SpringBoot 3 ObservabilitySpringBoot 3 Observability
SpringBoot 3 ObservabilityKnoldus Inc.
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
 
API Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternAPI Gateway How-To: The Many Ways to Apply the Gateway Pattern
API Gateway How-To: The Many Ways to Apply the Gateway PatternVMware Tanzu
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0Highlights of WSO2 API Manager 4.0.0
Highlights of WSO2 API Manager 4.0.0WSO2
 
Introduction to Apache Kafka
Introduction to Apache KafkaIntroduction to Apache Kafka
Introduction to Apache KafkaAIMDek Technologies
 
API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the EnterpriseApigee | Google Cloud
 
Integrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your EnvironmentIntegrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your Environmentconfluent
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Architecture & Testing Strategies
Microservices Architecture & Testing StrategiesMicroservices Architecture & Testing Strategies
Microservices Architecture & Testing StrategiesAraf Karsh Hamid
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service MeshNatanael Fonseca
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice ArchitectureNguyen Tung
 
Monolithic architecture
Monolithic architectureMonolithic architecture
Monolithic architectureSRM University Delhi-NCR sonepat
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to MicroservicesAmazon Web Services
 
Microservices Architectures: Become a Unicorn like Netflix, Twitter and Hailo
Microservices Architectures: Become a Unicorn like Netflix, Twitter and HailoMicroservices Architectures: Become a Unicorn like Netflix, Twitter and Hailo
Microservices Architectures: Become a Unicorn like Netflix, Twitter and Hailogjuljo
 
Microservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitectureMicroservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitecturePaul Mooney
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with KongNebulaworks
 
Spring Boot Observability
Spring Boot ObservabilitySpring Boot Observability
Spring Boot ObservabilityVMware Tanzu
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaArvind Kumar G.S
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For ArchitectsKevin Brockhoff
 
Hexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootHexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootMikalai Alimenkou
 
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkDBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkTimothy Spann
 
Introduction To Microservices
Introduction To MicroservicesIntroduction To Microservices
Introduction To MicroservicesLalit Kale
 
Building APIs with the OpenApi Spec
Building APIs with the OpenApi SpecBuilding APIs with the OpenApi Spec
Building APIs with the OpenApi SpecPedro J. Molina
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Private Cloud
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 

More Related Content

What's hot

Integrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your EnvironmentIntegrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your Environmentconfluent
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Microservices Architecture & Testing Strategies
Microservices Architecture & Testing StrategiesMicroservices Architecture & Testing Strategies
Microservices Architecture & Testing StrategiesAraf Karsh Hamid
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service MeshNatanael Fonseca
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice ArchitectureNguyen Tung
 
Microservices Architectures: Become a Unicorn like Netflix, Twitter and Hailo
Microservices Architectures: Become a Unicorn like Netflix, Twitter and HailoMicroservices Architectures: Become a Unicorn like Netflix, Twitter and Hailo
Microservices Architectures: Become a Unicorn like Netflix, Twitter and Hailogjuljo
 
Microservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitectureMicroservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitecturePaul Mooney
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with KongNebulaworks
 
Spring Boot Observability
Spring Boot ObservabilitySpring Boot Observability
Spring Boot ObservabilityVMware Tanzu
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaArvind Kumar G.S
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For ArchitectsKevin Brockhoff
 
Hexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootHexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootMikalai Alimenkou
 
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkDBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkTimothy Spann
 
Introduction To Microservices
Introduction To MicroservicesIntroduction To Microservices
Introduction To MicroservicesLalit Kale
 
Building APIs with the OpenApi Spec
Building APIs with the OpenApi SpecBuilding APIs with the OpenApi Spec
Building APIs with the OpenApi SpecPedro J. Molina
 

What's hot (20)

API Governance in the Enterprise
API Governance in the EnterpriseAPI Governance in the Enterprise
API Governance in the Enterprise
 
Integrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your EnvironmentIntegrating Apache Kafka Into Your Environment
Integrating Apache Kafka Into Your Environment
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Microservices Architecture & Testing Strategies
Microservices Architecture & Testing StrategiesMicroservices Architecture & Testing Strategies
Microservices Architecture & Testing Strategies
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service Mesh
 
Microservice Architecture
Microservice ArchitectureMicroservice Architecture
Microservice Architecture
 
Monolithic architecture
Monolithic architectureMonolithic architecture
Monolithic architecture
 
Introduction to Microservices
Introduction to MicroservicesIntroduction to Microservices
Introduction to Microservices
 
Microservices Architectures: Become a Unicorn like Netflix, Twitter and Hailo
Microservices Architectures: Become a Unicorn like Netflix, Twitter and HailoMicroservices Architectures: Become a Unicorn like Netflix, Twitter and Hailo
Microservices Architectures: Become a Unicorn like Netflix, Twitter and Hailo
 
Microservice vs. Monolithic Architecture
Microservice vs. Monolithic ArchitectureMicroservice vs. Monolithic Architecture
Microservice vs. Monolithic Architecture
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with Kong
 
Spring Boot Observability
Spring Boot ObservabilitySpring Boot Observability
Spring Boot Observability
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Monitoring using Prometheus and Grafana
Monitoring using Prometheus and GrafanaMonitoring using Prometheus and Grafana
Monitoring using Prometheus and Grafana
 
OpenTelemetry For Architects
OpenTelemetry For ArchitectsOpenTelemetry For Architects
OpenTelemetry For Architects
 
Hexagonal architecture with Spring Boot
Hexagonal architecture with Spring BootHexagonal architecture with Spring Boot
Hexagonal architecture with Spring Boot
 
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and FlinkDBA Fundamentals Group: Continuous SQL with Kafka and Flink
DBA Fundamentals Group: Continuous SQL with Kafka and Flink
 
Introduction To Microservices
Introduction To MicroservicesIntroduction To Microservices
Introduction To Microservices
 
Building APIs with the OpenApi Spec
Building APIs with the OpenApi SpecBuilding APIs with the OpenApi Spec
Building APIs with the OpenApi Spec
 

Similar to API Security in a Microservice Architecture

Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Private Cloud
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...Information Security Awareness Group
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPAKnoldus Inc.
 
Amazon VPC Lattice: The Service Mesh you actually want!!
Amazon VPC Lattice: The Service Mesh you actually want!!Amazon VPC Lattice: The Service Mesh you actually want!!
Amazon VPC Lattice: The Service Mesh you actually want!!Aaron Walker
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlAaronLieberman5
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...apidays
 
Cisco ACI for the Microsoft Cloud Platform
Cisco ACI for the Microsoft Cloud PlatformCisco ACI for the Microsoft Cloud Platform
Cisco ACI for the Microsoft Cloud PlatformShashi Kiran
 

Similar to API Security in a Microservice Architecture (20)

Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Unlocking the Cloud Operating Model
Unlocking the Cloud Operating ModelUnlocking the Cloud Operating Model
Unlocking the Cloud Operating Model
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
API Security with OAuth2.0.
API Security with OAuth2.0.API Security with OAuth2.0.
API Security with OAuth2.0.
 
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...
 
HTTP Authorization using OPA
HTTP Authorization using OPAHTTP Authorization using OPA
HTTP Authorization using OPA
 
Amazon VPC Lattice: The Service Mesh you actually want!!
Amazon VPC Lattice: The Service Mesh you actually want!!Amazon VPC Lattice: The Service Mesh you actually want!!
Amazon VPC Lattice: The Service Mesh you actually want!!
 
Securing ap is oauth and fine grained access control
Securing ap is oauth and fine grained access controlSecuring ap is oauth and fine grained access control
Securing ap is oauth and fine grained access control
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
 
Cisco ACI for the Microsoft Cloud Platform
Cisco ACI for the Microsoft Cloud PlatformCisco ACI for the Microsoft Cloud Platform
Cisco ACI for the Microsoft Cloud Platform
 

More from Matt McLarty

A Visual Language for Systems Integration
A Visual Language for Systems IntegrationA Visual Language for Systems Integration
A Visual Language for Systems IntegrationMatt McLarty
 
Composable data for the composable enterprise
Composable data for the composable enterpriseComposable data for the composable enterprise
Composable data for the composable enterpriseMatt McLarty
 
Value Networks in Open Banking
Value Networks in Open BankingValue Networks in Open Banking
Value Networks in Open BankingMatt McLarty
 
Mapping API business models through value exchange
Mapping API business models through value exchangeMapping API business models through value exchange
Mapping API business models through value exchangeMatt McLarty
 
Overcoming RESTlessness
Overcoming RESTlessnessOvercoming RESTlessness
Overcoming RESTlessnessMatt McLarty
 
How to Execute a Successful API Strategy
How to Execute a Successful API StrategyHow to Execute a Successful API Strategy
How to Execute a Successful API StrategyMatt McLarty
 
Microservices: 5 Years In
Microservices: 5 Years InMicroservices: 5 Years In
Microservices: 5 Years InMatt McLarty
 
Applying Systems Thinking to Software Architecture
Applying Systems Thinking to Software ArchitectureApplying Systems Thinking to Software Architecture
Applying Systems Thinking to Software ArchitectureMatt McLarty
 
META for Microservices: Getting your enterprise migration in motion
META for Microservices: Getting your enterprise migration in motionMETA for Microservices: Getting your enterprise migration in motion
META for Microservices: Getting your enterprise migration in motionMatt McLarty
 
How to Execute a Successful API Strategy
How to Execute a Successful API StrategyHow to Execute a Successful API Strategy
How to Execute a Successful API StrategyMatt McLarty
 
Design-Based Microservices AKA Planes, Trains & Automobiles
Design-Based Microservices AKA Planes, Trains & AutomobilesDesign-Based Microservices AKA Planes, Trains & Automobiles
Design-Based Microservices AKA Planes, Trains & AutomobilesMatt McLarty
 
Vancouver Microservices Meetup - Kickoff Session
Vancouver Microservices Meetup - Kickoff SessionVancouver Microservices Meetup - Kickoff Session
Vancouver Microservices Meetup - Kickoff SessionMatt McLarty
 
Microservice Lifecycle Demo Presentation
Microservice Lifecycle Demo PresentationMicroservice Lifecycle Demo Presentation
Microservice Lifecycle Demo PresentationMatt McLarty
 
A Capability Blueprint for Microservices
A Capability Blueprint for MicroservicesA Capability Blueprint for Microservices
A Capability Blueprint for MicroservicesMatt McLarty
 
API360 Microservices Summit Welcome
API360 Microservices Summit WelcomeAPI360 Microservices Summit Welcome
API360 Microservices Summit WelcomeMatt McLarty
 
Defining Microservices
Defining MicroservicesDefining Microservices
Defining MicroservicesMatt McLarty
 
The Agile Roots of Microservices
The Agile Roots of MicroservicesThe Agile Roots of Microservices
The Agile Roots of MicroservicesMatt McLarty
 

More from Matt McLarty (17)

A Visual Language for Systems Integration
A Visual Language for Systems IntegrationA Visual Language for Systems Integration
A Visual Language for Systems Integration
 
Composable data for the composable enterprise
Composable data for the composable enterpriseComposable data for the composable enterprise
Composable data for the composable enterprise
 
Value Networks in Open Banking
Value Networks in Open BankingValue Networks in Open Banking
Value Networks in Open Banking
 
Mapping API business models through value exchange
Mapping API business models through value exchangeMapping API business models through value exchange
Mapping API business models through value exchange
 
Overcoming RESTlessness
Overcoming RESTlessnessOvercoming RESTlessness
Overcoming RESTlessness
 
How to Execute a Successful API Strategy
How to Execute a Successful API StrategyHow to Execute a Successful API Strategy
How to Execute a Successful API Strategy
 
Microservices: 5 Years In
Microservices: 5 Years InMicroservices: 5 Years In
Microservices: 5 Years In
 
Applying Systems Thinking to Software Architecture
Applying Systems Thinking to Software ArchitectureApplying Systems Thinking to Software Architecture
Applying Systems Thinking to Software Architecture
 
META for Microservices: Getting your enterprise migration in motion
META for Microservices: Getting your enterprise migration in motionMETA for Microservices: Getting your enterprise migration in motion
META for Microservices: Getting your enterprise migration in motion
 
How to Execute a Successful API Strategy
How to Execute a Successful API StrategyHow to Execute a Successful API Strategy
How to Execute a Successful API Strategy
 
Design-Based Microservices AKA Planes, Trains & Automobiles
Design-Based Microservices AKA Planes, Trains & AutomobilesDesign-Based Microservices AKA Planes, Trains & Automobiles
Design-Based Microservices AKA Planes, Trains & Automobiles
 
Vancouver Microservices Meetup - Kickoff Session
Vancouver Microservices Meetup - Kickoff SessionVancouver Microservices Meetup - Kickoff Session
Vancouver Microservices Meetup - Kickoff Session
 
Microservice Lifecycle Demo Presentation
Microservice Lifecycle Demo PresentationMicroservice Lifecycle Demo Presentation
Microservice Lifecycle Demo Presentation
 
A Capability Blueprint for Microservices
A Capability Blueprint for MicroservicesA Capability Blueprint for Microservices
A Capability Blueprint for Microservices
 
API360 Microservices Summit Welcome
API360 Microservices Summit WelcomeAPI360 Microservices Summit Welcome
API360 Microservices Summit Welcome
 
Defining Microservices
Defining MicroservicesDefining Microservices
Defining Microservices
 
The Agile Roots of Microservices
The Agile Roots of MicroservicesThe Agile Roots of Microservices
The Agile Roots of Microservices
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

API Security in a Microservice Architecture

  • 1. API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb. 28, 2018
  • 2. Agenda  Purpose and Goals  Background  Current Approaches - Network-level Controls - Application-level Controls - Emerging Approaches  Proposed Approach - Domain Hierarchy Access Regulation for Microservice Architecture (DHARMA) - Platform-Independent DHARMA Implementation  What Next?
  • 3. About Matt McLarty  Vice President of the API Academy (CA Technologies)  Co-author of Microservice Architecture from O’Reilly  Instructor for Microservices for the Enterprise O’Reilly training  20+ years in development, enterprise IT, software architecture  Architect, writer, speaker  Live in Vancouver, BC, Canada
  • 5. Goals Primary  Create a comprehensive “literature review” for Microservice API Security  Define a general model for API access control applicable to microservices  Refine the general model for practical use in a microservice architecture  Anticipate the next level of problems and solutions required for microservice API security Secondary  Help to develop a common language for microservices and distributed systems in general  With Fielding as inspiration, try to define a methodology for general solutions like this
  • 7. Microservice Architecture Characteristics Service orientation Independent deployability and manageability Ephemerality and elasticity Web API communication Container-based deployment
  • 8. Microservice API Terminology  Service - Service Instance  API - API Endpoint  API Request  API Response  API Consumer  API Provider  API Intermediary - API Gateway - Service Proxy
  • 10. IAAA Framework for Microservice APIs •Must support multiple identities and attributes (end users, system components, domains)Identification •Must support multiple authentication methods as well as delegated authenticationAuthentication •Authorization for a single request may be decided at multiple points in the request pathAuthorization •Capture of relevant security data or metadata from API messagesAccountability
  • 12. About Trust  Trust is fundamental in distributed systems  Implicit trust is everywhere! - e.g. network isolation  Trust is about understanding and compromise Trusted communication should be more efficient than untrusted
  • 14. SPIFFE  “Secure Production Identity Framework for Everyone”  PKI functions for ephemeral environments  SVID’s - “SPIFFE Verifiable Identity Documents” - Identity for services and other components  SPIRE - “SPIFFE Runtime Environment” - Agent/Server architecture
  • 15. Application-Level Controls – Traditional Web Tokens Cookie-based Sessions  Can have a role as long as storage is performant and scalable  Session ID open to hijack  Sessions do not cross security domains SAML  Some concepts useful  Too centralized and heavy for microservice architectures  Does not support delegation
  • 16. Application-Level Controls – API-oriented Tokens API Keys  An application identifier, not a security mechanism! OAuth 2.0  Framework for API authorization, supports delegation  Agnostic of token types OpenID Connect  Extends Oauth 2.0 with ID Token JWT  Packaging format for exchanging claims  Convenient and popular in practice
  • 17. Application-Level Controls –Token Types Opaque (“by-reference”) tokens  Indecipherable to third parties, but require centralized management Transparent (“by-value”) tokens  Management can be decentralized, but accessible to third parties
  • 18. Infrastructure – API Intermediaries  API Gateway - “North-south” (proxies consumer-to-provider) - Centralized at the perimeter - Fully-featured  Service Proxy - “East-west” (proxies service-to-service) - Local to service (sidecar) - Streamlined https://abhishek-tiwari.com/a-sidecar-for-your-service-mesh/
  • 19. Infrastructure – Network Overlays  Platform-specific capabilities  Open source projects - OpenContrail, Romana: network overlays - Project Calico: native support for Docker, Kubernetes, Mesos - Cilium: uses Linux kernel modifications
  • 20. Infrastructure – Platform Capabilities Kubernetes  Network rules restrict communication between various abstractions: clusters, nodes, pods, services  Authentication ultimately left to application logic Cloud Foundry  UAA for user authentication (OAuth 2.0 with JWT’s)  Multiple options for network ACL’s AWS  Built-in proprietary IAM and certificate management  API access control generally left to application logic
  • 21. Emerging Approaches – Service Mesh  Both an emerging and a time-worn concept   In practice, network of service proxies  In theory, general policy enforcement for “the system” - Routing, service level management, security  Sample implementation: Istio - “Control plane” for the service mesh - Istio-Auth for authentication, using SPIFFE
  • 22. Emerging Approaches – Serverless  Constrained but convenient - Less access to infrastructure configuration - Distinction between functions and communication  Access control tied to platform - e.g. AWS Lambda tied to AWS IAM + AWS API Gateway
  • 24. Common Patterns in Microservice API Security  “Zero trust” not a common practice due to inefficiency  Many multi-faceted approaches with heterogeneous parts  Many platform-specific capabilities  Binary pattern: - “Fast lane” for traffic based on trust - “Slow lane” for untrusted traffic requiring authentication
  • 25. Domain Hierarchy Access Regulation for Microservice Architecture (DHARMA) A multi-cloud approach to API security in a microservice architecture Applicable at any level of the architecture Agnostic of domain methodology
  • 26. What’s in a name? Dharma n. – The principle of cosmic order - We want order in a complex system Significant concept in multiple religions - We want a multi-cloud solution Wheel of Dharma: - Helm of Kubernetes: (And NO… this has nothing to do with the show “Lost”!)
  • 27. DHARMA Foundational Concepts Concept Definition Trust Domain A set of services that communicate with each other in a privileged way Domain Relation The reason for a domain’s services to be grouped together Trust Mechanism The method used by services within the domain to verify that an API request is coming from a trusted source Access Mechanism The method that allows API requests from outside the domain to be authenticated and authorized Interior Endpoint An API endpoint that is accessible to other services within the domain, authorized through the domain’s trust mechanism Boundary Endpoint An API endpoint that is accessible to services outside the domain, authorized through the domain’s access mechanism Hierarchical Endpoint An API endpoint that is an interior endpoint for one domain and a boundary endpoint for another
  • 28. DHARMA Request Flow – Single domain
  • 29. DHARMA Request Flow – Two domains in a hierarchy
  • 30. A DHARMA Design Methodology Identify trust domains Define trust and access mechanisms Determine interior and boundary endpoints Select domain implementation platforms
  • 31. Platform-Independent DHARMA Implementation Domain Hierarchy Unbounded Area Outer Domain Inner Domain •External consumers •Beyond org’s control •Public services •Experience-oriented •Private services •Logic-, data-oriented
  • 32. Platform-Independent DHARMA Implementation Domain Access Mechanism Trust Mechanism Outer Domain OAuth 2.0, opaque access token Signed JWT using org- issued certificate Inner Domain Signed JWT using org- issued certificate Network isolation, optionally propagated JWT
  • 33. Platform-Independent DHARMA Implementation Implementation considerations Certificate management Token management Component provisioning Service and endpoint deployment Accountability
  • 34. Platform-Independent DHARMA Implementation Interaction Identification Authentication Authorization External Client Request External client obtains access token from authorization server, sends on API request to outer domain boundary endpoint Receiving API Gateway sends access token to authorization server for validation Authorization server validates access token, exchanges for JWT which is sent back to API Gateway, which forwards request to service’s interior endpoint Outer Domain Service-to-Service Request OR Outer Domain-to-Inner Domain Request Service consumer either sends previously obtained JWT, or obtains new JWT from Authorization Server and sends on API request to outer domain interior endpoint/inner domain boundary endpoint Receiving service proxy validates token signature and certificate chain Service checks JWT claims and processes accordingly Inner Domain Service-to-Service Request Service consumer either sends previously obtained JWT, or obtains new JWT from local secure token service and sends on API request Trusted based on network isolation Service checks JWT claims and processes accordingly
  • 35. Platform-Independent DHARMA Implementation 1. API request with valid Oauth 2.0 access token 2. API request with signed JWT (domain CA-issued certificate) 3. API request with JWT for accounting, not authorization 4. Token dereferencing/validation/exchange
  • 36. DHARMA Developer Experience •Service developers should only need to consider deployment domain, claim-related authorization logic, and API message auditing within the service Enabling Access Control for a Service/API •Policies should be articulated clearly, platform agnostic (e.g. OpenAPI) •Provide tooling for API consumers Publishing and Discovering API Access Control Policies •Organization-wide policies enforced by API intermediaries for ease of change Access Control Policy Change Management
  • 38. Standardizing the Language of Microservices
  • 39. Refining DHARMA Vetting the implementation example Platform-specific implementations Re-casting existing security approaches
  • 40. Extending DHARMA Metadata for interoperability Other synchronous protocols (e.g. gRPC, GraphQL) Event-based/reactive systems (e.g. Kafka)
  • 41. Conclusion API security is essential in a microservice architecture A wide variety of current approaches are in use, based on networks, tokens, platforms and solutions DHARMA offers an adaptable methodology for API access control in a microservice architecture Lots of room to evolve and refine DHARMA to cover other gaps in the microservice API security landscape
  • 43. Vice President, API Academy, CA Technologies matthew.mclarty@ca.com Matt McLarty @mattmclartybc www.slideshare.net/MattMcLarty linkedin.com/in/mattmclartybc apiacademy.co Thank You!