SlideShare a Scribd company logo
Microservices security. How (not) to?
Bertrand CARLIER
bertrand.carlier@wavestone.com
@bertrandcarlier
© WAVESTONE 2
2800+ consultants
On 4 continents & 20+ fields of expertise
Who am I?
Cybersecurity practice
400+ consultants
Paris, New York, London, Hong Kong
Adressing all topics within cybersecurity
Digital Identity 120+ experts in identity and access management
Maturity assessments, roadmap definition, projects design & build
Myself
Fell into identity circa 2004, handcrafted SAML tokens circa 2007
Standards enthusiast and zelot ever since
Remote attendee of Cloud ID Summit for years, first on-site CIS/Identiverse last year
@bertrandcarlier
© WAVESTONE 3
Backend APIs
What I mean when I say « microservices »
An application calling an API endpoint…
…calling another API endpoint
…calling another API endpoint
…calling other API endpoints
…
This generally also involves CI/CD tools
and various degrees of automation
Client
APIAPI API
API API API
API API API
Front
APIs
© WAVESTONE 4
What I mean when I say « microservices »
An application calling an API endpoint…
…calling another API endpoint
…calling another API endpoint
…calling other API endpoints
…
This generally also involves CI/CD tools
and various degrees of automation
Client
APIAPI API
API API API
API API API
Backend APIsFront
APIs
© WAVESTONE 5
How to secure microservices 101
Client
APIAPI API
API API API
API API APIAPI Gateway
OAuth2 Network isolation
Authorization
server
© WAVESTONE 6
If only it was that simple…
© WAVESTONE 7
What happens inside? Free all-you-can-reach buffet!
Client
APIAPI API
API API API
API API APIAPI Gateway
Authorization
server
Should the front Access
Token be propagated?
What could the API Gateway
swap the front token with?
Which APIs can reach
which APIs?
?
? ?
??
? ?
?
? ?
?
© WAVESTONE 8
Option #1. Cleartext headers
Client
APIAPI API
API API API
API API APIAPI Gateway
Authorization
server
Not really secure of course
/ Unless there is a strict network isolation in place, this allows for
a lot of attack scenarios
› Impersonation
› Augmented authorizations
› etc.
A naïve approach
/ “Token offloading” at the gate
/ Developers don’t need to “do” security or crypto stuff
{}
{}
{}
{}
{} {}
{}
{}
{}
{}
{}
{userid, client_id,
access rights, etc.}
© WAVESTONE 9
Option #2. Token transmission
Client
APIAPI API
API API API
API API APIAPI Gateway
Authorization
server
But still not the safest
/ Confused deputy attack: One compromised API allows
compromising any network-reachable API (only with initial
user identity)
A slightly better solution
/ Allows for user identity & rights integrity
/ Developers might need to do crypto stuff
› One could provide them with helper libraries
› API Gateway round trip could be required
© WAVESTONE 10
Option #3. OAuth scopes
Client API Gateway
Authorization
server
APIAPI API
API API API
? ?
?
Still not perfect
/ Requires to know beforehand all required scopes in the chain
/ Often requires to define separated (business) API domains
/ In many cases this solution can be secure enough
Introduce notion of service to service controls
/ API gateway and/or client can generate/manage several tokens
with different scopes
/ Compromission spreading is limited
API API API
© WAVESTONE 11
Option #4. Token Exchange
Client API Gateway
Authorization
server
APIAPI API
API API API
Of course it is not perfect
/ Introduces network latency to get each token
/ Can be a burden to developers (unless productized in a library)
Fined-grained service-to-service control
/ Access tokens contain the user identity and the list of APIs
went across
/ Authorization server and/or API can enforce any fine-grained
policy they wish
API API API
© WAVESTONE 12
And many other options!
Service-to-service
authentication /
authorization
/ Mutual TLS
/ Client credential token
/ Self signed JWT
/ Nested self-signed JWT
(see Will Tran’s work at https://github.com/william-tran/microxchg2017)
Token validation
/ API gateway (ie. Reverse Proxy)
/ Embedded software library (ie. Agent)
/ Micro-gateways
Main difficulties remain
/ Key management to authenticate services / sign tokens
/ Define/maintain/centralize fine-grained access policies
/ By-value JWT
/ By-reference token
© WAVESTONE 13
Case studies
© WAVESTONE 14
Cheese retail company
© WAVESTONE 15
Cheese retail company
• Get or update inventory across branches
• Get special deals in real time
APIs for in-store sales
people on mobile device
• Real-time availability
• Click to collect
• Previous commands and receipts
APIs for consumers
• Mobile HR APIs
• ERP APIs
APIs for Human
Resources and Finance
Cheese supermarkets all over France and now a few other countries.
We now have that goat cheese
you loved back in stock!
This Brie is available in a branch
less than 10km from here!
Our margin on Époisses is
outstanding!
This branche’s sales on Comté
are really low
That smelly Camembert is now
30% off for a limited time!
That smelly Camembert is now
30% off for a limited time!
This individual will get a 20%
raise this year
© WAVESTONE 16
Inventory
HR
ERP
Cheese retail company
APIs
Fence
Network isolation
Sub domain
isolation
/ An API Gateway
› Check the token validity
› Serialize it
/ A “fence” per functional domain
› Check user access rights
› PaaS based network isolation
› Domain-to-domain requests must go
back through fences
/ Micro-services
› Check client access rights
An architecture based on three levels
© WAVESTONE 17
Big Bakery Company
Pas la meilleur image !
© WAVESTONE 18
Big Bakery Company
• New varieties of bread and croissant must
hit the market before competitors
• Agility to develop new products and means
to trade them
A classic story of digital
transformation
• Corporate clients do not want to access
apps, they also want APIs
• Internal dev teams also want to leverage
data and operations through APIs
APIs first
• Spoiled pains au chocolat or sandwiches
can cause severe health troubles
• Recipes are very valuable assets that
mustn’t leak
Strong regulation
A well established trading company in the bread and viennoiserie business
I’ll just add a
pinch of ginger…
Let’s patch this
croissant with almonds!
/GET this sandwich before
it expires or /DELETE it!
Baguettes as a ServiceI can compose 1815
varieties of donuts now!
© WAVESTONE 19
Big Bakery Company
Front APIs, using both user and
application right
Network isolation
A very secure & robust architecture in theory
/ Token exchange from front to back
/ Client rights as scopes
/ User rights as custom claim
But actually not fully leveraged
/ Only the front APIs check the user rights
/ Backend APIs only check the application rights and (implicitly)
trust front APIs to check user rights
Check app right
Check user right
Back-end APIs using only application right
Reachable with token 1
Reachable with token 2
Reachable with token 3
© WAVESTONE 20
Wine Company
© WAVESTONE 21
Wine Company
• Pay-as-you-drink, next bill estimation
based on current consumption
Wine as a Service
• Suggestion based on previous tastings
• AI powered advisor
Wine advisor
• Data sharing with wine amateurs social
networks
Third party services
integration
A utility company for wine. Millions of customers,
With your Tournedos
Rossini, I suggest you
have a Margaux ‘62
I’d say you may very well
like a Pommard
To meet your target
budget, you must have
2 more glasses
€
Congrats! You just
earned the Burgundy
Expert badge!
© WAVESTONE 22
Utilities – Wine as a Service
Network isolation
An approach based on point to point controls…
/ Using scope (and a strong scope governance)
/ Using both users and applications right, allows to ensure
traceability
Soon-to-be-in-production: a micro API Gateway
/ Deployed in front of each APIs in containers
/ Based on FOSS module (Apache & mod_auth_openidc)
/ A one-fits-all solution : Java, Ruby, Node.js, etc.
Classical services
Micro API Gateway
Container
© WAVESTONE 23
3 different environments, 3 different solutions
Development agility, feature teams
independence
Coarse-grained scopes, fine-grained
user rights
Business domain
segregation
Very risk averse environment, required
traceability
Fine-grained user and application rights
Token exchange
Heterogeneous technologies for API
development, unsegmented network
Moving to micro-gateways, leveraging
CI/CD tools
Micro gateways
© WAVESTONE 24
A few rules to balance API security design
Different contexts will result in different architectures
/ Security requirements
/ Build & deployment automation capabilities
/ Gateway vs. agents vs. micro-gateways
1
Token transmission & scope management will fit most security requirements
/ Secure enough in most cases
/ Relatively easy to implement
2
Consider other options to cover additional security constraints
/ Service-to-service authentication
/ Token exchange or nested self-issued JWTs3
© WAVESTONE 25
There are many available blocks to achieve micro-services security.
The main difficulty is to build it without mistakes
© WAVESTONE 26
Dou Ohote Raillte!
wavestone.com
@wavestone_
Bertrand CARLIER
Senior Manager
M +33 (0)6 18 64 42 52
bertrand.carlier@wavestone.com
riskinsight-wavestone.com
@Risk_Insight
securityinsider-solucom.fr
@SecuInsider
PARIS
LONDON
NEW YORK
HONG KONG
SINGAPORE *
DUBAI *
SAO PAULO *
LUXEMBOURG
MADRID *
MILANO *
BRUSSELS
GENEVA
CASABLANCA
ISTANBUL *
LYON
MARSEILLE
NANTES
* Partnerships

More Related Content

What's hot

User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
IsraelGuillen12
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Sylvain Maret
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016  ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
ForgeRock
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
CA API Management
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Ping Identity
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.io
Knoldus Inc.
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
CA API Management
 
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
NYC Identity Summit Tech Day: ForgeRock Identity Platform OverviewNYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
ForgeRock
 

What's hot (20)

User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
 
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon ShkedyCheckmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through ScriptingWebinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016  ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
API Security and Management Best Practices
API Security and Management Best PracticesAPI Security and Management Best Practices
API Security and Management Best Practices
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.io
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
 
API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
 
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
NYC Identity Summit Tech Day: ForgeRock Identity Platform OverviewNYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
 

Similar to Identiverse - Microservices Security

OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
Intuit Developer
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
Ping Identity
 
The Swisscom APi journey
The Swisscom APi journeyThe Swisscom APi journey
The Swisscom APi journey
Kay Lummitsch - Digital Journeyman
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
Jack Carnes
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
Nordic APIs
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Donald Malloy
 
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
CA Technologies
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
Michael Leppitsch
 
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native EraBuilding APIs in a Cloud Native Era
Building APIs in a Cloud Native Era
Nuwan Dias
 
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Diasapidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
Christian Glahn
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
Patrick Harding
 
TheWriteId > components
TheWriteId > componentsTheWriteId > components
TheWriteId > components
Tim De Coninck
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
NETUserGroupBern
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
CA Technologies
 

Similar to Identiverse - Microservices Security (20)

OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST ServicesOAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
The Swisscom APi journey
The Swisscom APi journeyThe Swisscom APi journey
The Swisscom APi journey
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
How to Build an Effective API Security Strategy
How to Build an Effective API Security StrategyHow to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
 
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
 
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native EraBuilding APIs in a Cloud Native Era
Building APIs in a Cloud Native Era
 
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Diasapidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
 
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and ImplementationEduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 
TheWriteId > components
TheWriteId > componentsTheWriteId > components
TheWriteId > components
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
 
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your CustomersCreating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
 

More from Bertrand Carlier

2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project
Bertrand Carlier
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
Bertrand Carlier
 
OAuth2 stands overview
OAuth2 stands overviewOAuth2 stands overview
OAuth2 stands overview
Bertrand Carlier
 
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsPing City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des Objets
Bertrand Carlier
 
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsGS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIs
Bertrand Carlier
 
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiWavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Bertrand Carlier
 
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts   wavestoneDSP2 standards, sécurité, quels impacts   wavestone
DSP2 standards, sécurité, quels impacts wavestone
Bertrand Carlier
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demo
Bertrand Carlier
 
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2
Bertrand Carlier
 
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoTParis Identity Tech Talk IoT
Paris Identity Tech Talk IoT
Bertrand Carlier
 

More from Bertrand Carlier (10)

2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
 
OAuth2 stands overview
OAuth2 stands overviewOAuth2 stands overview
OAuth2 stands overview
 
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des ObjetsPing City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des Objets
 
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIsGS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIs
 
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'apiWavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
 
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts   wavestoneDSP2 standards, sécurité, quels impacts   wavestone
DSP2 standards, sécurité, quels impacts wavestone
 
Wavestone forgerock banking demo
Wavestone forgerock banking demoWavestone forgerock banking demo
Wavestone forgerock banking demo
 
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2
 
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoTParis Identity Tech Talk IoT
Paris Identity Tech Talk IoT
 

Recently uploaded

ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
AlexanderRichford
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
Ortus Solutions, Corp
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
Fwdays
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
Fwdays
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 

Recently uploaded (20)

ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!Introducing BoxLang : A new JVM language for productivity and modularity!
Introducing BoxLang : A new JVM language for productivity and modularity!
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk"Frontline Battles with DDoS: Best practices and Lessons Learned",  Igor Ivaniuk
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor Ivaniuk
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
"What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w..."What does it really mean for your system to be available, or how to define w...
"What does it really mean for your system to be available, or how to define w...
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 

Identiverse - Microservices Security

  • 1. Microservices security. How (not) to? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
  • 2. © WAVESTONE 2 2800+ consultants On 4 continents & 20+ fields of expertise Who am I? Cybersecurity practice 400+ consultants Paris, New York, London, Hong Kong Adressing all topics within cybersecurity Digital Identity 120+ experts in identity and access management Maturity assessments, roadmap definition, projects design & build Myself Fell into identity circa 2004, handcrafted SAML tokens circa 2007 Standards enthusiast and zelot ever since Remote attendee of Cloud ID Summit for years, first on-site CIS/Identiverse last year @bertrandcarlier
  • 3. © WAVESTONE 3 Backend APIs What I mean when I say « microservices » An application calling an API endpoint… …calling another API endpoint …calling another API endpoint …calling other API endpoints … This generally also involves CI/CD tools and various degrees of automation Client APIAPI API API API API API API API Front APIs
  • 4. © WAVESTONE 4 What I mean when I say « microservices » An application calling an API endpoint… …calling another API endpoint …calling another API endpoint …calling other API endpoints … This generally also involves CI/CD tools and various degrees of automation Client APIAPI API API API API API API API Backend APIsFront APIs
  • 5. © WAVESTONE 5 How to secure microservices 101 Client APIAPI API API API API API API APIAPI Gateway OAuth2 Network isolation Authorization server
  • 6. © WAVESTONE 6 If only it was that simple…
  • 7. © WAVESTONE 7 What happens inside? Free all-you-can-reach buffet! Client APIAPI API API API API API API APIAPI Gateway Authorization server Should the front Access Token be propagated? What could the API Gateway swap the front token with? Which APIs can reach which APIs? ? ? ? ?? ? ? ? ? ? ?
  • 8. © WAVESTONE 8 Option #1. Cleartext headers Client APIAPI API API API API API API APIAPI Gateway Authorization server Not really secure of course / Unless there is a strict network isolation in place, this allows for a lot of attack scenarios › Impersonation › Augmented authorizations › etc. A naïve approach / “Token offloading” at the gate / Developers don’t need to “do” security or crypto stuff {} {} {} {} {} {} {} {} {} {} {} {userid, client_id, access rights, etc.}
  • 9. © WAVESTONE 9 Option #2. Token transmission Client APIAPI API API API API API API APIAPI Gateway Authorization server But still not the safest / Confused deputy attack: One compromised API allows compromising any network-reachable API (only with initial user identity) A slightly better solution / Allows for user identity & rights integrity / Developers might need to do crypto stuff › One could provide them with helper libraries › API Gateway round trip could be required
  • 10. © WAVESTONE 10 Option #3. OAuth scopes Client API Gateway Authorization server APIAPI API API API API ? ? ? Still not perfect / Requires to know beforehand all required scopes in the chain / Often requires to define separated (business) API domains / In many cases this solution can be secure enough Introduce notion of service to service controls / API gateway and/or client can generate/manage several tokens with different scopes / Compromission spreading is limited API API API
  • 11. © WAVESTONE 11 Option #4. Token Exchange Client API Gateway Authorization server APIAPI API API API API Of course it is not perfect / Introduces network latency to get each token / Can be a burden to developers (unless productized in a library) Fined-grained service-to-service control / Access tokens contain the user identity and the list of APIs went across / Authorization server and/or API can enforce any fine-grained policy they wish API API API
  • 12. © WAVESTONE 12 And many other options! Service-to-service authentication / authorization / Mutual TLS / Client credential token / Self signed JWT / Nested self-signed JWT (see Will Tran’s work at https://github.com/william-tran/microxchg2017) Token validation / API gateway (ie. Reverse Proxy) / Embedded software library (ie. Agent) / Micro-gateways Main difficulties remain / Key management to authenticate services / sign tokens / Define/maintain/centralize fine-grained access policies / By-value JWT / By-reference token
  • 14. © WAVESTONE 14 Cheese retail company
  • 15. © WAVESTONE 15 Cheese retail company • Get or update inventory across branches • Get special deals in real time APIs for in-store sales people on mobile device • Real-time availability • Click to collect • Previous commands and receipts APIs for consumers • Mobile HR APIs • ERP APIs APIs for Human Resources and Finance Cheese supermarkets all over France and now a few other countries. We now have that goat cheese you loved back in stock! This Brie is available in a branch less than 10km from here! Our margin on Époisses is outstanding! This branche’s sales on Comté are really low That smelly Camembert is now 30% off for a limited time! That smelly Camembert is now 30% off for a limited time! This individual will get a 20% raise this year
  • 16. © WAVESTONE 16 Inventory HR ERP Cheese retail company APIs Fence Network isolation Sub domain isolation / An API Gateway › Check the token validity › Serialize it / A “fence” per functional domain › Check user access rights › PaaS based network isolation › Domain-to-domain requests must go back through fences / Micro-services › Check client access rights An architecture based on three levels
  • 17. © WAVESTONE 17 Big Bakery Company Pas la meilleur image !
  • 18. © WAVESTONE 18 Big Bakery Company • New varieties of bread and croissant must hit the market before competitors • Agility to develop new products and means to trade them A classic story of digital transformation • Corporate clients do not want to access apps, they also want APIs • Internal dev teams also want to leverage data and operations through APIs APIs first • Spoiled pains au chocolat or sandwiches can cause severe health troubles • Recipes are very valuable assets that mustn’t leak Strong regulation A well established trading company in the bread and viennoiserie business I’ll just add a pinch of ginger… Let’s patch this croissant with almonds! /GET this sandwich before it expires or /DELETE it! Baguettes as a ServiceI can compose 1815 varieties of donuts now!
  • 19. © WAVESTONE 19 Big Bakery Company Front APIs, using both user and application right Network isolation A very secure & robust architecture in theory / Token exchange from front to back / Client rights as scopes / User rights as custom claim But actually not fully leveraged / Only the front APIs check the user rights / Backend APIs only check the application rights and (implicitly) trust front APIs to check user rights Check app right Check user right Back-end APIs using only application right Reachable with token 1 Reachable with token 2 Reachable with token 3
  • 21. © WAVESTONE 21 Wine Company • Pay-as-you-drink, next bill estimation based on current consumption Wine as a Service • Suggestion based on previous tastings • AI powered advisor Wine advisor • Data sharing with wine amateurs social networks Third party services integration A utility company for wine. Millions of customers, With your Tournedos Rossini, I suggest you have a Margaux ‘62 I’d say you may very well like a Pommard To meet your target budget, you must have 2 more glasses € Congrats! You just earned the Burgundy Expert badge!
  • 22. © WAVESTONE 22 Utilities – Wine as a Service Network isolation An approach based on point to point controls… / Using scope (and a strong scope governance) / Using both users and applications right, allows to ensure traceability Soon-to-be-in-production: a micro API Gateway / Deployed in front of each APIs in containers / Based on FOSS module (Apache & mod_auth_openidc) / A one-fits-all solution : Java, Ruby, Node.js, etc. Classical services Micro API Gateway Container
  • 23. © WAVESTONE 23 3 different environments, 3 different solutions Development agility, feature teams independence Coarse-grained scopes, fine-grained user rights Business domain segregation Very risk averse environment, required traceability Fine-grained user and application rights Token exchange Heterogeneous technologies for API development, unsegmented network Moving to micro-gateways, leveraging CI/CD tools Micro gateways
  • 24. © WAVESTONE 24 A few rules to balance API security design Different contexts will result in different architectures / Security requirements / Build & deployment automation capabilities / Gateway vs. agents vs. micro-gateways 1 Token transmission & scope management will fit most security requirements / Secure enough in most cases / Relatively easy to implement 2 Consider other options to cover additional security constraints / Service-to-service authentication / Token exchange or nested self-issued JWTs3
  • 25. © WAVESTONE 25 There are many available blocks to achieve micro-services security. The main difficulty is to build it without mistakes
  • 26. © WAVESTONE 26 Dou Ohote Raillte!
  • 27. wavestone.com @wavestone_ Bertrand CARLIER Senior Manager M +33 (0)6 18 64 42 52 bertrand.carlier@wavestone.com riskinsight-wavestone.com @Risk_Insight securityinsider-solucom.fr @SecuInsider
  • 28. PARIS LONDON NEW YORK HONG KONG SINGAPORE * DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILANO * BRUSSELS GENEVA CASABLANCA ISTANBUL * LYON MARSEILLE NANTES * Partnerships