This document discusses security approaches for microservices architectures. It begins by defining microservices as an application that calls API endpoints which then call other API endpoints. It then discusses four options for securing communication between microservices: 1) passing cleartext headers, 2) transmitting tokens, 3) using OAuth scopes, and 4) token exchange. Each option has advantages and disadvantages for security and complexity. The document also provides examples of microservices security architectures for three different companies. It concludes that the main challenge is implementing microservices security without mistakes by balancing requirements, capabilities, and choosing appropriate solutions.

1. Microservices security. How (not) to?
Bertrand CARLIER
bertrand.carlier@wavestone.com
@bertrandcarlier

2. © WAVESTONE 2
2800+ consultants
On 4 continents & 20+ fields of expertise
Who am I?
Cybersecurity practice
400+ consultants
Paris, New York, London, Hong Kong
Adressing all topics within cybersecurity
Digital Identity 120+ experts in identity and access management
Maturity assessments, roadmap definition, projects design & build
Myself
Fell into identity circa 2004, handcrafted SAML tokens circa 2007
Standards enthusiast and zelot ever since
Remote attendee of Cloud ID Summit for years, first on-site CIS/Identiverse last year
@bertrandcarlier

3. © WAVESTONE 3
Backend APIs
What I mean when I say « microservices »
An application calling an API endpoint…
…calling another API endpoint
…calling another API endpoint
…calling other API endpoints
…
This generally also involves CI/CD tools
and various degrees of automation
Client
APIAPI API
API API API
API API API
Front
APIs

4. © WAVESTONE 4
What I mean when I say « microservices »
An application calling an API endpoint…
…calling another API endpoint
…calling another API endpoint
…calling other API endpoints
…
This generally also involves CI/CD tools
and various degrees of automation
Client
APIAPI API
API API API
API API API
Backend APIsFront
APIs

5. © WAVESTONE 5
How to secure microservices 101
Client
APIAPI API
API API API
API API APIAPI Gateway
OAuth2 Network isolation
Authorization
server

6. © WAVESTONE 6
If only it was that simple…

7. © WAVESTONE 7
What happens inside? Free all-you-can-reach buffet!
Client
APIAPI API
API API API
API API APIAPI Gateway
Authorization
server
Should the front Access
Token be propagated?
What could the API Gateway
swap the front token with?
Which APIs can reach
which APIs?
?
? ?
??
? ?
?
? ?
?

8. © WAVESTONE 8
Option #1. Cleartext headers
Client
APIAPI API
API API API
API API APIAPI Gateway
Authorization
server
Not really secure of course
/ Unless there is a strict network isolation in place, this allows for
a lot of attack scenarios
› Impersonation
› Augmented authorizations
› etc.
A naïve approach
/ “Token offloading” at the gate
/ Developers don’t need to “do” security or crypto stuff
{}
{}
{}
{}
{} {}
{}
{}
{}
{}
{}
{userid, client_id,
access rights, etc.}

9. © WAVESTONE 9
Option #2. Token transmission
Client
APIAPI API
API API API
API API APIAPI Gateway
Authorization
server
But still not the safest
/ Confused deputy attack: One compromised API allows
compromising any network-reachable API (only with initial
user identity)
A slightly better solution
/ Allows for user identity & rights integrity
/ Developers might need to do crypto stuff
› One could provide them with helper libraries
› API Gateway round trip could be required

10. © WAVESTONE 10
Option #3. OAuth scopes
Client API Gateway
Authorization
server
APIAPI API
API API API
? ?
?
Still not perfect
/ Requires to know beforehand all required scopes in the chain
/ Often requires to define separated (business) API domains
/ In many cases this solution can be secure enough
Introduce notion of service to service controls
/ API gateway and/or client can generate/manage several tokens
with different scopes
/ Compromission spreading is limited
API API API

11. © WAVESTONE 11
Option #4. Token Exchange
Client API Gateway
Authorization
server
APIAPI API
API API API
Of course it is not perfect
/ Introduces network latency to get each token
/ Can be a burden to developers (unless productized in a library)
Fined-grained service-to-service control
/ Access tokens contain the user identity and the list of APIs
went across
/ Authorization server and/or API can enforce any fine-grained
policy they wish
API API API

12. © WAVESTONE 12
And many other options!
Service-to-service
authentication /
authorization
/ Mutual TLS
/ Client credential token
/ Self signed JWT
/ Nested self-signed JWT
(see Will Tran’s work at https://github.com/william-tran/microxchg2017)
Token validation
/ API gateway (ie. Reverse Proxy)
/ Embedded software library (ie. Agent)
/ Micro-gateways
Main difficulties remain
/ Key management to authenticate services / sign tokens
/ Define/maintain/centralize fine-grained access policies
/ By-value JWT
/ By-reference token

13. © WAVESTONE 13
Case studies

14. © WAVESTONE 14
Cheese retail company

15. © WAVESTONE 15
Cheese retail company
• Get or update inventory across branches
• Get special deals in real time
APIs for in-store sales
people on mobile device
• Real-time availability
• Click to collect
• Previous commands and receipts
APIs for consumers
• Mobile HR APIs
• ERP APIs
APIs for Human
Resources and Finance
Cheese supermarkets all over France and now a few other countries.
We now have that goat cheese
you loved back in stock!
This Brie is available in a branch
less than 10km from here!
Our margin on Époisses is
outstanding!
This branche’s sales on Comté
are really low
That smelly Camembert is now
30% off for a limited time!
That smelly Camembert is now
30% off for a limited time!
This individual will get a 20%
raise this year

16. © WAVESTONE 16
Inventory
HR
ERP
Cheese retail company
APIs
Fence
Network isolation
Sub domain
isolation
/ An API Gateway
› Check the token validity
› Serialize it
/ A “fence” per functional domain
› Check user access rights
› PaaS based network isolation
› Domain-to-domain requests must go
back through fences
/ Micro-services
› Check client access rights
An architecture based on three levels

17. © WAVESTONE 17
Big Bakery Company
Pas la meilleur image !

18. © WAVESTONE 18
Big Bakery Company
• New varieties of bread and croissant must
hit the market before competitors
• Agility to develop new products and means
to trade them
A classic story of digital
transformation
• Corporate clients do not want to access
apps, they also want APIs
• Internal dev teams also want to leverage
data and operations through APIs
APIs first
• Spoiled pains au chocolat or sandwiches
can cause severe health troubles
• Recipes are very valuable assets that
mustn’t leak
Strong regulation
A well established trading company in the bread and viennoiserie business
I’ll just add a
pinch of ginger…
Let’s patch this
croissant with almonds!
/GET this sandwich before
it expires or /DELETE it!
Baguettes as a ServiceI can compose 1815
varieties of donuts now!

19. © WAVESTONE 19
Big Bakery Company
Front APIs, using both user and
application right
Network isolation
A very secure & robust architecture in theory
/ Token exchange from front to back
/ Client rights as scopes
/ User rights as custom claim
But actually not fully leveraged
/ Only the front APIs check the user rights
/ Backend APIs only check the application rights and (implicitly)
trust front APIs to check user rights
Check app right
Check user right
Back-end APIs using only application right
Reachable with token 1
Reachable with token 2
Reachable with token 3

20. © WAVESTONE 20
Wine Company

21. © WAVESTONE 21
Wine Company
• Pay-as-you-drink, next bill estimation
based on current consumption
Wine as a Service
• Suggestion based on previous tastings
• AI powered advisor
Wine advisor
• Data sharing with wine amateurs social
networks
Third party services
integration
A utility company for wine. Millions of customers,
With your Tournedos
Rossini, I suggest you
have a Margaux ‘62
I’d say you may very well
like a Pommard
To meet your target
budget, you must have
2 more glasses
€
Congrats! You just
earned the Burgundy
Expert badge!

22. © WAVESTONE 22
Utilities – Wine as a Service
Network isolation
An approach based on point to point controls…
/ Using scope (and a strong scope governance)
/ Using both users and applications right, allows to ensure
traceability
Soon-to-be-in-production: a micro API Gateway
/ Deployed in front of each APIs in containers
/ Based on FOSS module (Apache & mod_auth_openidc)
/ A one-fits-all solution : Java, Ruby, Node.js, etc.
Classical services
Micro API Gateway
Container

23. © WAVESTONE 23
3 different environments, 3 different solutions
Development agility, feature teams
independence
Coarse-grained scopes, fine-grained
user rights
Business domain
segregation
Very risk averse environment, required
traceability
Fine-grained user and application rights
Token exchange
Heterogeneous technologies for API
development, unsegmented network
Moving to micro-gateways, leveraging
CI/CD tools
Micro gateways

24. © WAVESTONE 24
A few rules to balance API security design
Different contexts will result in different architectures
/ Security requirements
/ Build & deployment automation capabilities
/ Gateway vs. agents vs. micro-gateways
1
Token transmission & scope management will fit most security requirements
/ Secure enough in most cases
/ Relatively easy to implement
2
Consider other options to cover additional security constraints
/ Service-to-service authentication
/ Token exchange or nested self-issued JWTs3

25. © WAVESTONE 25
There are many available blocks to achieve micro-services security.
The main difficulty is to build it without mistakes

26. © WAVESTONE 26
Dou Ohote Raillte!

27. wavestone.com
@wavestone_
Bertrand CARLIER
Senior Manager
M +33 (0)6 18 64 42 52
bertrand.carlier@wavestone.com
riskinsight-wavestone.com
@Risk_Insight
securityinsider-solucom.fr
@SecuInsider

28. PARIS
LONDON
NEW YORK
HONG KONG
SINGAPORE *
DUBAI *
SAO PAULO *
LUXEMBOURG
MADRID *
MILANO *
BRUSSELS
GENEVA
CASABLANCA
ISTANBUL *
LYON
MARSEILLE
NANTES
* Partnerships