The document discusses security in microservices architectures, emphasizing that security is a continuous process rather than a one-time setup. It outlines essential pillars of IT security including confidentiality, integrity, and availability, while detailing best practices such as data isolation, ownership checks, and traffic pattern detection. The importance of API gateways in maintaining secure communications and preventing threats like DDoS attacks and brute force logins is highlighted.

1. Security in microservices
architectures
maxime.thomas@stootie.com
https://www.linkedin.com/in/maximethomas

2. Information Is beautiful - http://www.informationisbeautiful.net/2013/worlds-biggest-data-breaches/

3. Information Is beautiful - http://www.informationisbeautiful.net/2013/worlds-biggest-data-breaches/

4. “Security is not a product,
it’s a process”
Bruce Schneier
Applied Cryptography Author

5. Pillars of IT security
● Confidentiality : no one can access what belongs to you
● Integrity : information cannot be changed without your consent
● Availability : you can access data when you need it

6. Securitisation VS Accessibility
Impact of securitisation
Accessibilitylevel
OK
Kills the productivity
Generates bugs
Bother people
Point of overhead

7. Security is a process
7
● It’s not a one shot thing, you have to set it up and maintain it
● As distributed architecture are mostly based on DDD, this rule means that everybody is concerned
by security
● Modality should be discussed with all the stakeholders to find the point of overhead

8. Monolith Architecture
iOs Android Web
Monolith
User
data

9. Monolith
Confidentiality Integrity Accessibility
Monolith ✔ ✔ ✔

10. Other API Other BFF
Microservices Architecture
API Gateway / BFF
User
data
User
data
User
data
MS
1
MS
2
MS
3
iOs Android Web

11. Responsibility Segregation
Confidentiality Integrity Accessibility
Clients ✔ ✔
API Gateway / BFF ✔ ✔
Microservices ✔ ✔

12. Distributed software does not allow
you to create security breaches

13. Pragmatic Secured Microservices Architecture
API Gateway / BFF
MS
1
MS
2
MS
3
Secured Exchanges
iOs Android Web
JUNGLE
TRUSTED ZONE

14. REST Cheat Sheet
Mobile Cheat Sheet
Network Cheat Sheet

15. Infrastructure
● Certificate rotation, so it never expires
● SSL/TLS Termination, ie HTTPS outside,
HTTP inside
● Isolated Subnets Layers, data is the deeper
● Isolated Inbound Rules to access the next
layer
API Gateway / BFF
MS
Client
Public
Private
Data
HTTPS
HTTP
==

16. User Sessions
● Outside : encrypted authentication token,
should be ideally totally random and
regenerable, it can be as simple as a UUID
● Inside : user data that is useful and that
must be in the global context (ie in each
request)
● API Gateway is maintaining the mapping
between inside data and outside token
API Gateway / BFF
UD
MS
Client
userId: a3dc8
userId: 42,
john@yahoo.fr

17. Microservices 1/3 - Data Isolation
● Data belongs to the microservice so don’t
let other microservices read or write inside
your data system directly
● Microservices must access to it via an API
call or asynchronously
● Set up different users / password to your
data storage systems.
MS
1
MS
2
MQ

18. Microservices 2/3 - Ownership check
● Applying confidentiality : when receiving a
user id, verify that the data you send
effectively belongs to the right user
● This mechanism may be extended to roles
if you have any
API Gateway / BFF
MS
HEADER
userId: 42,
john@yahoo.fr
GET
/item/32
table items
id: 32
userId: 39

19. Microservices 3/3 - Diagnose and recover
● Tag all your resources so you can track
every request in your distributed platform
● Log all request through a central log
system (no headers, no post info)
● Use an exceptions platform to handle
exceptions and get technical context on it,
ie with what you did not log
API GW
MS
Client
MS MS
Logs
manager
Exceptions
manager

20. API Gateway 1/3 - Correlation ID
● It’s giving a simple way to trace what
happens inside the platform
● Your API Gateway / BFF must add a
correlation ID to all the requests, set by
the clients
● UUID v4 is enough
API Gateway / BFF
UD
MS
Client
requestId: 27eb4
requestId: 27eb4

21. API Gateway 2/3 - Detect Traffic Patterns
● Remove wanted and unwanted robots /
spiders / crawlers
● Remove real traffic depending on your
platform typology
● Identify clients that generates large
amount of requests on different frames
Requests Window #Req/min
Peak
A lot in a
short time
50 1 minute 50
Intensive
Medium
usage in a
medium
range of
time
2000 4 hours 8,3
Crook
Poor usage
during a
very long
period
5000 3 days 1,15

22. API Gateway 3/3 - Prevent and block suspicious behaviour
● DDoS attacks → Put your platform down
● Attacks through DAST → Find backdoors
● Brute force login → Manual DAST, scammers
● Enumeration of urls → Steal data through scraping

23. Mobile
● Master all the interfaces of your app
○ in its environment : file system, identity system, http layer, …
○ what you expose : share / publication system
● Be careful of what is left on the device after uninstall
● Certificate pinning : a user can usurp client identity through self signed certificate

24. Security is a process
Too much security kills the security
Security when needed

25. Thank you!
maxime.thomas@stootie.com
https://www.linkedin.com/in/maximethomas