Prabath Siriwardena, profile picture
Uploaded byPrabath Siriwardena
PPTX, PDF748 views

Microservices Security Landscape

This document discusses security considerations for microservices architectures. It covers edge security using API gateways, service-to-service authentication using TLS and JWT, access control using centralized and embedded policy decision points, deployment models like Docker and Kubernetes, and the use of sidecars and service meshes like Istio for security. Key challenges with microservices include a broader attack surface, performance issues, and complexity in deployment and observability across services.

Embed presentation

Downloaded 37 times
MICROSERVICES SECURITY LANDSCAPE Prabath Siriwardena Senior Director - Security Architecture prabath@wso2.com | prabath@apache.org
ABOUT ME 2
MICROSERVICES
SOA TO MICROSERVICES ▪ Service Oriented Architecture (SOA) is a design approach where multiple services collaborate to provide some set of capabilities. ▪ A service is an isolated process — and the inter-service communication happens over the network. ▪ Microservices is the SOA done right! ▪ Provides focused, scoped and modular approach for application design. 4
MONOLITHIC 5
MICROSERVICES 6
CHALLENGES ▪ Broader attack surface ▪ Performance ▪ Deployment complexities ▪ Observability ▪ Immutable servers ▪ Sharing user context ▪ Polyglot architecture 7
EDGE SECURITY
9 API GATEWAY PATTERN
10 API GATEWAY PATTERN
OAUTH 2.0 11
12 SELF-CONTAINED ACCESS TOKENS
13
SERVICE TO SERVICE SECURITY
TLS MUTUAL AUTHENTICATION ▪ Each microservice will have its own certificate to prove its identity ▪ How do we provision certificates to each microservice? ▪ How do we deal with certificate revocations? ▪ How do we deal with trust bootstrap? ▪ How do we deal with key rotation? 15
SPIFFE / SPIRE ▪ Secure Production Identity Framework for Everyone. ▪ SPIFFE tries to solve the trust bootstrap problem in a platform agnostic manner. ▪ SPIFFE provides an identity to each workload in a microservices deployment, which is known as the SPIFFE ID. E.g.: spiffe://acme.com/billing/payments 16
SPIFFE / SPIRE 17
JWT (JSON WEB TOKEN) ▪ Defines a container to transport data between interested parties. ▪ There are multiple applications of JWT - in OpenID Connect the id_token is represented as a JWT. ▪ Propagate one’s identity between interested parties. ▪ Propagate user entitlements between interested parties. ▪ Transfer data securely between interested parties over a unsecured channel. ▪ Assert one’s identity, given that the recipient of the JWT trusts the asserting party. 18
JWT (JSON WEB TOKEN) eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc4YjRjZjIzNjU2ZGMzOTUzNjRmMWI2YzAyOTA3NjkxZjJjZGZmZTEifQ.ey Jpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTAyMjUxMTU4OTIwMTQ3NzMyIiwiYXpwIjoiODI1 MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21ucDRzcXY3ZXJodTEyMTFzLmFwcHMuZ29vZ2xldXNlcmNvbn RlbnQuY29tIiwiZW1haWwiOiJwcmFiYXRoQHdzbzIuY29tIiwiYXRfaGFzaCI6InpmODZ2TnVsc0xCOGdGYXFSd 2R6WWciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXVkIjoiODI1MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21 ucDRzcXY3ZXJodTEyMTFzLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaGQiOiJ3c28yLmNvbSIsImlhdCI6 MTQwMTkwODI3MSwiZXhwIjoxNDAxOTEyMTcxfQ.TVKv-pdyvk2gW8sGsCbsnkqsrS0T- H00xnY6ETkIfgIxfotvFn5IwKm3xyBMpy0FFe0Rb5Ht8AEJV6PdWyxz8rMgX2HROWqSo_RfEfUpBb4iOsq4 W28KftW5H0IA44VmNZ6zU4YTqPSt4TPhyFC9fP2D_Hg7JQozpQRUfbWTJI 19
JWT (JSON WEB TOKEN) 20
21 SELF ISSUED ACCESS TOKENS
22 OAUTH 2.0 TOKEN EXCHANGE
ACCESS CONTROL
POLICY EVALUATION (CENTRAL PDP) 24
POLICY EVALUATION (EMBEDDED PDP) 25
OPEN POLICY AGENT (OPA) ▪ A lightweight general-purpose policy engine that can be co-located with your service. ▪ Can integrate OPA as a sidecar, host-level daemon, or library. ▪ Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka ▪ Netflix is an early adopter of OPA 26
DEPLOYMENT MODELS
DOCKER ▪ Docker (container technology) allows to run multiple services on the same host machine, while not only exposing a different environment to each of them, but also isolating them from each other, similarly to VMs, but with much less overhead. ▪ A process running in a container runs inside the host’s operating system, like all the other processes (unlike VMs, where processes run in separate operating systems). But the process in the container is still isolated from other processes. 28
KUBERNETES ▪ Kubernetes abstracts away the hardware infrastructure and exposes your whole datacenter as a single enormous computational resource. ▪ Allows to easily deploy and manage containerized applications on top of it. ▪ Uses Linux container technologies to provide isolation of running applications. 29
KUBERNETES (PODs) 30
SIDECAR 31
ISTIO 32
SECURITY SIDECAR 33
SERVICE MESH 34 ▪ A decentralized application networking infrastructure between the services that provides, resiliency, security, observability, and routing control. ▪ Comprised of a control plane and a data plane.
THANK YOU wso2.com

More Related Content

PDF
Microservices Security Landscape
byPrabath Siriwardena
 
PPTX
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
byScott Brady
 
PPTX
FREE Crypto Guide to EARN passive income online, DONT wait Start Now!
byMatthew
 
PDF
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
byBrod Tech
 
PPTX
Euklid (1)
byAntonio Simeone
 
PPTX
Token based-oauth2
byandreyradzkov
 
PPTX
Sidechains introduction
byLin Lin (Wendy)
 
ODP
Developers Guide To Blockchain, Bitcoin and Cryptocurrencies
bySam Dias
 
Microservices Security Landscape
byPrabath Siriwardena
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
byScott Brady
 
FREE Crypto Guide to EARN passive income online, DONT wait Start Now!
byMatthew
 
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
byBrod Tech
 
Euklid (1)
byAntonio Simeone
 
Token based-oauth2
byandreyradzkov
 
Sidechains introduction
byLin Lin (Wendy)
 
Developers Guide To Blockchain, Bitcoin and Cryptocurrencies
bySam Dias
 

Similar to Microservices Security Landscape

PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
PDF
Talk Microservices to Me: The Role of IAM in Microservice Architecture
byWSO2
 
PDF
muCon 2016: Authentication in Microservice Systems By David Borsos
byOpenCredo
 
PPTX
Cloud Identity Management
byDamian T. Gordon
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
PPTX
Microservices Security landscape
bySagara Gunathunga
 
PDF
The Role of IAM in Microservices
byWSO2
 
PDF
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
byVarun Mithran
 
PDF
Protecting Java Microservices: Best Practices and Strategies
byRodrigo Cândido da Silva
 
PDF
Authentication in microservice systems
byDavid Borsos
 
PPTX
Microservices Manchester: Authentication in Microservice Systems by David Borsos
byOpenCredo
 
PPTX
Microservices security - jpmc tech fest 2018
byMOnCloud
 
PPTX
Micro Web Service - Slim and JWT
byTuyen Vuong
 
PDF
Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it,...
byapidays
 
PDF
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
byWSO2
 
PDF
API Security In Cloud Native Era
byWSO2
 
PPTX
OAuth Well Played – Mods and Combos for the Cloud Native API Security Game - ...
byNordic APIs
 
PDF
Anil saldhana cloudidentitybestpractices
byAnil Saldanha
 
PPTX
Enhancing API Security and Privacy Through Hardening the Access Token | apida...
byCurity
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
byWSO2
 
muCon 2016: Authentication in Microservice Systems By David Borsos
byOpenCredo
 
Cloud Identity Management
byDamian T. Gordon
 
Securing Web Applications with Token Authentication
byStormpath
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
Microservices Security landscape
bySagara Gunathunga
 
The Role of IAM in Microservices
byWSO2
 
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
byVarun Mithran
 
Protecting Java Microservices: Best Practices and Strategies
byRodrigo Cândido da Silva
 
Authentication in microservice systems
byDavid Borsos
 
Microservices Manchester: Authentication in Microservice Systems by David Borsos
byOpenCredo
 
Microservices security - jpmc tech fest 2018
byMOnCloud
 
Micro Web Service - Slim and JWT
byTuyen Vuong
 
Apidays Paris 2023 - I Have an OAuth2 Access Token, Now what do I do with it,...
byapidays
 
[WSO2Con Asia 2018] Talk Microservices to Me: The Role of IAM in Microservice...
byWSO2
 
API Security In Cloud Native Era
byWSO2
 
OAuth Well Played – Mods and Combos for the Cloud Native API Security Game - ...
byNordic APIs
 
Anil saldhana cloudidentitybestpractices
byAnil Saldanha
 
Enhancing API Security and Privacy Through Hardening the Access Token | apida...
byCurity
 

More from Prabath Siriwardena

PDF
OAuth 2.0 for Web and Native (Mobile) App Developers
byPrabath Siriwardena
 
PPTX
API Security : Patterns and Practices
byPrabath Siriwardena
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
PDF
OAuth 2.0 Threat Landscapes
byPrabath Siriwardena
 
PDF
Blockchain-based Solutions for Identity & Access Management
byPrabath Siriwardena
 
PDF
Open Standards in Identity Management
byPrabath Siriwardena
 
PDF
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
PPTX
Connected Identity : The Role of the Identity Bus
byPrabath Siriwardena
 
PPTX
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
PDF
Identity Management for Web Application Developers
byPrabath Siriwardena
 
PPTX
Next-Gen Apps with IoT and Cloud
byPrabath Siriwardena
 
PPTX
Securing Insecure
byPrabath Siriwardena
 
PPTX
The Evolution of Internet Identity
byPrabath Siriwardena
 
PPTX
Evolution of Internet Identity
byPrabath Siriwardena
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PPTX
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
PDF
GDPR for Identity Architects
byPrabath Siriwardena
 
PDF
Identity is Eating the World!
byPrabath Siriwardena
 
PPTX
Connected Identity : Benefits, Risks & Challenges
byPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
byPrabath Siriwardena
 
API Security : Patterns and Practices
byPrabath Siriwardena
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Cloud Native Identity with SPIFFE
byPrabath Siriwardena
 
OAuth 2.0 Threat Landscapes
byPrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
byPrabath Siriwardena
 
Open Standards in Identity Management
byPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
byPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
byPrabath Siriwardena
 
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
Identity Management for Web Application Developers
byPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
byPrabath Siriwardena
 
Securing Insecure
byPrabath Siriwardena
 
The Evolution of Internet Identity
byPrabath Siriwardena
 
Evolution of Internet Identity
byPrabath Siriwardena
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
byPrabath Siriwardena
 
GDPR for Identity Architects
byPrabath Siriwardena
 
Identity is Eating the World!
byPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
byPrabath Siriwardena
 

Recently uploaded

PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
PDF
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PPTX
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
PPTX
META-ANALYSIS INTERPRETATION, PUBLICATION BIAS AND GRADE ASSESSMENT.pptx
bySystematic Reviews Network (SRN)
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PDF
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PDF
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
PPTX
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
PPTX
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
PDF
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
PPTX
Steve Hale - Developing Elite Young Goalkeepers 2024.pptx
bypjmfd
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PPTX
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
Micro Economics for class 12 and class 11
bysurajbajaj4116
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
How to Track a Link Using Odoo 18 SMS Marketing
byCeline George
 
META-ANALYSIS INTERPRETATION, PUBLICATION BIAS AND GRADE ASSESSMENT.pptx
bySystematic Reviews Network (SRN)
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
IMANI Africa files RTI request seeking full disclosure on 2026 SIM registrati...
bynservice241
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
Multiple Myeloma , definition, etiology, PP, CM , DE and management
byNisha Borsa
 
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
Steve Hale - Developing Elite Young Goalkeepers 2024.pptx
bypjmfd
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 

Microservices Security Landscape

  • 1.
    MICROSERVICES SECURITY LANDSCAPE PrabathSiriwardena Senior Director - Security Architecture prabath@wso2.com | prabath@apache.org
  • 2.
  • 3.
  • 4.
    SOA TO MICROSERVICES ▪Service Oriented Architecture (SOA) is a design approach where multiple services collaborate to provide some set of capabilities. ▪ A service is an isolated process — and the inter-service communication happens over the network. ▪ Microservices is the SOA done right! ▪ Provides focused, scoped and modular approach for application design. 4
  • 5.
  • 6.
  • 7.
    CHALLENGES ▪ Broader attacksurface ▪ Performance ▪ Deployment complexities ▪ Observability ▪ Immutable servers ▪ Sharing user context ▪ Polyglot architecture 7
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
    TLS MUTUAL AUTHENTICATION ▪Each microservice will have its own certificate to prove its identity ▪ How do we provision certificates to each microservice? ▪ How do we deal with certificate revocations? ▪ How do we deal with trust bootstrap? ▪ How do we deal with key rotation? 15
  • 16.
    SPIFFE / SPIRE ▪Secure Production Identity Framework for Everyone. ▪ SPIFFE tries to solve the trust bootstrap problem in a platform agnostic manner. ▪ SPIFFE provides an identity to each workload in a microservices deployment, which is known as the SPIFFE ID. E.g.: spiffe://acme.com/billing/payments 16
  • 17.
  • 18.
    JWT (JSON WEBTOKEN) ▪ Defines a container to transport data between interested parties. ▪ There are multiple applications of JWT - in OpenID Connect the id_token is represented as a JWT. ▪ Propagate one’s identity between interested parties. ▪ Propagate user entitlements between interested parties. ▪ Transfer data securely between interested parties over a unsecured channel. ▪ Assert one’s identity, given that the recipient of the JWT trusts the asserting party. 18
  • 19.
    JWT (JSON WEBTOKEN) eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc4YjRjZjIzNjU2ZGMzOTUzNjRmMWI2YzAyOTA3NjkxZjJjZGZmZTEifQ.ey Jpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTAyMjUxMTU4OTIwMTQ3NzMyIiwiYXpwIjoiODI1 MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21ucDRzcXY3ZXJodTEyMTFzLmFwcHMuZ29vZ2xldXNlcmNvbn RlbnQuY29tIiwiZW1haWwiOiJwcmFiYXRoQHdzbzIuY29tIiwiYXRfaGFzaCI6InpmODZ2TnVsc0xCOGdGYXFSd 2R6WWciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXVkIjoiODI1MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21 ucDRzcXY3ZXJodTEyMTFzLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaGQiOiJ3c28yLmNvbSIsImlhdCI6 MTQwMTkwODI3MSwiZXhwIjoxNDAxOTEyMTcxfQ.TVKv-pdyvk2gW8sGsCbsnkqsrS0T- H00xnY6ETkIfgIxfotvFn5IwKm3xyBMpy0FFe0Rb5Ht8AEJV6PdWyxz8rMgX2HROWqSo_RfEfUpBb4iOsq4 W28KftW5H0IA44VmNZ6zU4YTqPSt4TPhyFC9fP2D_Hg7JQozpQRUfbWTJI 19
  • 20.
    JWT (JSON WEBTOKEN) 20
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
    OPEN POLICY AGENT(OPA) ▪ A lightweight general-purpose policy engine that can be co-located with your service. ▪ Can integrate OPA as a sidecar, host-level daemon, or library. ▪ Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka ▪ Netflix is an early adopter of OPA 26
  • 27.
  • 28.
    DOCKER ▪ Docker (containertechnology) allows to run multiple services on the same host machine, while not only exposing a different environment to each of them, but also isolating them from each other, similarly to VMs, but with much less overhead. ▪ A process running in a container runs inside the host’s operating system, like all the other processes (unlike VMs, where processes run in separate operating systems). But the process in the container is still isolated from other processes. 28
  • 29.
    KUBERNETES ▪ Kubernetes abstractsaway the hardware infrastructure and exposes your whole datacenter as a single enormous computational resource. ▪ Allows to easily deploy and manage containerized applications on top of it. ▪ Uses Linux container technologies to provide isolation of running applications. 29
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
    SERVICE MESH 34 ▪ Adecentralized application networking infrastructure between the services that provides, resiliency, security, observability, and routing control. ▪ Comprised of a control plane and a data plane.
  • 35.