SlideShare a Scribd company logo
The Easy Way
To
Secure Microservices
Michael Hofmann
Hofmann IT-Consulting
info@hofmann-itconsulting.de
https://hofmann-itconsulting.de
Microservices and Security
●
High number of services
●
Every service has to be secured
●
The more services the higher the risk of security
breaches
●
New vulnerabilities (CVE) must be fixed timely in
every service
●
Malicious actor has more endpoints to exploit
Consequence: Zero Trust
●
Do not trust anyone or service, even inside a
trust zone
●
Every request has to be authenticated,
authorized and secured (TLS)
●
JWT: E2E Token or TokenExchangeService
●
On (every) multiple network layers
Securing Microservices
●
AuthN and AuthZ on every request
●
TLS for every communication between services
– Certificate management for many services
– High degree of automation necessary
– Missing automation: TLS termination on Ingress, no TLS
inside K8S cluster (typical)
●
Is there a one size fits all solution?
OWASP (Open Web Application Security Project)
●
Defense in Depth (Layered Defense)
●
Fail Safe
●
Least Privilege
●
Separation of Duties
●
Economy of Mechanism (Keep it
Simple, Stupid KISS)
●
Complete Mediation
https://github.com/OWASP/DevGuide/blob/master/02-Design/01-Principles%20of%20Security%20Engineering.md
●
Open Design
●
Least Common Mechanism
●
Psychological acceptability
●
Weakest Link
●
Leveraging Existing Components
1st try
Source: istio.io
Source: istio.io
Istio’s Security Statements
●
Security by default: no changes needed to application code and
infrastructure
●
Defense in depth: integrate with existing security systems to
provide multiple layers of defense
●
Zero-trust network: build security solutions on distrusted
networks
●
Authorization and Audit Tools (AAA Tools)
TLS Termination
apiVersion: v1
kind: Secret
metadata:
name: mytls-credential
type: kubernetes.io/tls
data:
tls.crt: |
XYZ...
tls.key: |
ABc...
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mygateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: mytls-credential
hosts:
- myapp.mycompany.de
Nearly full functionality of API
Gateway with Istio
Entire Mesh mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system #entire mesh
spec:
mtls:
mode: STRICT #PERMISSIVE
Rotating certificate every 24h
Source: istio.io
NetworkPolicy
●
Additional Network providers: Antrea, Canico,
Cilium, ...
●
NetworkPolicy for K8S on Layer 3 and 4
●
Istio (mainly) operates on Layer 7
●
According to OWASP: Defense in Depth
NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-myapp
namespace: my-namespace
spec:
podSelector:
matchLabels:
app: myapp
ingress:
- from:
- podSelector:
matchLabels:
istio: ingressgateway
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: my-namespace
spec:
podSelector: {}
policyTypes:
- Ingress
2nd try
AuthZ
Source: istio.io
AuthN
●
Can be applied to every other workload
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: ingress-idp
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "my-issuer"
jwksUri: https://idp.mycompany.de/.well-known/jwks.json
●
JWT issued by
specified IDP
●
Multiple issuers
possible
●
Applied to Istio
ingress gateway
AuthZ
●
Request without JWT has no authentication identity but is
allowed
●
Allow-nothing rule for complete mesh
●
Applied in root namespace (istio-system)
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-nothing
namespace: istio-system
spec:
#action defaults to ALLOW if not specified
{}
AuthZ apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-app
namespace: my-namespace
spec:
selector:
matchLabels:
app: my-app
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/ns-xyz/sa/my-partner-app"]
- source:
namespaces: ["ns-abc", “ns-def”]
to:
- operation:
methods: ["GET"]
paths: ["/info*"]
- operation:
methods: ["POST"]
paths: ["/data"]
when:
- key: request.auth.claims[iss]
values: ["https://idp.my-company.de"]
AuthZ
●
AuthorizationPolicy
precedence
●
Rules can be very fine
grained
●
Multiple combinations
can be possible
●
be aware of complexity!
(kiss)
AuthZ Customized apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: external-authz
namespace: my-namespace
spec:
selector:
matchLabels:
app: my-app
action: CUSTOM
provider:
name: my-provider
rules:
- to:
- operation:
paths: ["/data",”/api”]
●
Provider must be defined in
mesh config
●
Can be applied on every workload
●
HTTP Status: 200, 403
●
Header transformations
extensionProviders:
- name: "my-provider"
envoyExtAuthzHttp:
service: "my-provider.foo.svc.cluster.local"
port: "8000"
includeHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["authorization", "new-header"]
headersToDownstreamOnDeny: ["content-type", "deny-header"]
Audit
●
Current only Stackdriver
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
namespace: my-namespace
name: audit-my-app
spec:
selector:
matchLabels:
app: my-app
action: AUDIT
rules:
- to:
- operation:
methods: [”POST”,”PUT”,”DELETE”]
paths: ["/data/*"]
Final
Rules Summary
Functionality Rules
TLS termination (gateway) Gateway and Secret
mTLS PeerAuthentication
Network Segmentation NetworkPolicy default-deny-ingress
one per workload
Authentication RequestAuthentication
Authorization AuthorizationPolicy allow-nothing
one per workload
AuthZ in MicroProfile
@LoginConfig(authMethod = "MP-JWT", realmName = "MY-REALM")
@DeclareRoles("edit-role, select-role")
@ApplicationPath("/")
public class MyApplication extends Application {
}
@Path("/myendpoint")
@DenyAll
public class MyEndpoint {
@Inject
private JsonWebToken jwt;
@Resource
Principal principal;
@RolesAllowed("edit-role")
@POST
...
}
●
MicroProfile MP-JWT
Spec
●
Roles mapping on JWT
claim: groups
●
Validate against IDP
Summary
●
Establish security step-by-step: Starting point: only 6 rules necessary
●
Only 1 rule for mTLS in whole cluster including certificate rotation
●
JWT validation (everywhere)
●
Fine grained authZ control by infrastructure (entry-point, every service):
KISS
●
Customizable authZ control
●
Audit (only stackdriver)
●
Defense in depth (3): NetworkPolicy, AuthorizationPolicy, authZ in service
●
Zero Trust

More Related Content

What's hot

NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
Tamas K Lengyel
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
Timbal Mayank
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Tamas K Lengyel
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
 
Web Security
Web SecurityWeb Security
Web Security
Ram Dutt Shukla
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
pavansmiles
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
wolfSSL
 
SSL overview
SSL overviewSSL overview
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Teleport
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP
 
Bletchley
BletchleyBletchley
Bletchley
Diogo Mónica
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
JosephTesta9
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLS
Sam Bowne
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)
Sam Bowne
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH Access
DevOps.com
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018
wolfSSL
 
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG
Worteks
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 

What's hot (20)

NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
 
OpenSSL
OpenSSLOpenSSL
OpenSSL
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Web Security
Web SecurityWeb Security
Web Security
 
MTLS in a Microservices World
MTLS in a Microservices WorldMTLS in a Microservices World
MTLS in a Microservices World
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
SSL overview
SSL overviewSSL overview
SSL overview
 
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
Webinar - 2020-09-23 - Escape the ticketing turmoil with Teleport PagerDuty &...
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
Bletchley
BletchleyBletchley
Bletchley
 
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
BSides Rochester 2018: Esteban Rodriguez: Ducky In The Middle: Injecting keys...
 
CNIT 141: 13. TLS
CNIT 141: 13. TLSCNIT 141: 13. TLS
CNIT 141: 13. TLS
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)CNIT 128 3. Attacking iOS Applications (Part 1)
CNIT 128 3. Attacking iOS Applications (Part 1)
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH Access
 
wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018wolfSSL TLS 1.3 Support in 2018
wolfSSL TLS 1.3 Support in 2018
 
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 

Similar to The Easy Way to Secure Microservices

Secrity project keyvan
Secrity project   keyvanSecrity project   keyvan
Secrity project keyvan
itrraincity
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
Gokul Alex
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Tim Mackey
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
Black Duck by Synopsys
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
Wail Hassan
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
SSIMeetup
 
Windows network security
Windows network securityWindows network security
Windows network security
Information Technology
 
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16
MikeLeszcz
 
Net Sec
Net SecNet Sec
Net Sec
backdoor
 
Practical Network Security
Practical Network SecurityPractical Network Security
Practical Network Security
Sudarsun Santhiappan
 
Construyendo un nuevo ecosistema para comunicaciones interoperables
Construyendo un nuevo ecosistema para comunicaciones interoperablesConstruyendo un nuevo ecosistema para comunicaciones interoperables
Construyendo un nuevo ecosistema para comunicaciones interoperables
OpenDireito
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
shytikov
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
Sylvain Maret
 
Hop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networksHop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networks
LeMeniz Infotech
 
Building a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsBuilding a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communications
PaloSanto Solutions
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Windows network
Windows networkWindows network
Windows network
Jithesh Nair
 
OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02
MikeLeszcz
 

Similar to The Easy Way to Secure Microservices (20)

Secrity project keyvan
Secrity project   keyvanSecrity project   keyvan
Secrity project keyvan
 
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDFDEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
DEFCON28_2020_EthereumSecurity_PreventingDDoS_VDF
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
ZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSIZKorum: Building the Next Generation eAgora powered by SSI
ZKorum: Building the Next Generation eAgora powered by SSI
 
Windows network security
Windows network securityWindows network security
Windows network security
 
OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16OpenID Foundation RISC WG Update - 2017-10-16
OpenID Foundation RISC WG Update - 2017-10-16
 
Net Sec
Net SecNet Sec
Net Sec
 
Practical Network Security
Practical Network SecurityPractical Network Security
Practical Network Security
 
Construyendo un nuevo ecosistema para comunicaciones interoperables
Construyendo un nuevo ecosistema para comunicaciones interoperablesConstruyendo un nuevo ecosistema para comunicaciones interoperables
Construyendo un nuevo ecosistema para comunicaciones interoperables
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
Hop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networksHop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networks
 
Building a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsBuilding a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communications
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Windows network
Windows networkWindows network
Windows network
 
OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02OpenID Foundation RISC WG Update - 2018-04-02
OpenID Foundation RISC WG Update - 2018-04-02
 

More from Michael Hofmann

Service Specific AuthZ In The Cloud Infrastructure
Service Specific AuthZ In The Cloud InfrastructureService Specific AuthZ In The Cloud Infrastructure
Service Specific AuthZ In The Cloud Infrastructure
Michael Hofmann
 
New Ways To Production - Stress-Free Evolution Of Your Cloud Applications
New Ways To Production - Stress-Free Evolution Of Your Cloud ApplicationsNew Ways To Production - Stress-Free Evolution Of Your Cloud Applications
New Ways To Production - Stress-Free Evolution Of Your Cloud Applications
Michael Hofmann
 
Developer Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve ParityDeveloper Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve Parity
Michael Hofmann
 
Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?
Michael Hofmann
 
Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?
Michael Hofmann
 
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Michael Hofmann
 
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Michael Hofmann
 
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Michael Hofmann
 
Service Mesh - kilometer 30 in a microservice marathon
Service Mesh - kilometer 30 in a microservice marathonService Mesh - kilometer 30 in a microservice marathon
Service Mesh - kilometer 30 in a microservice marathon
Michael Hofmann
 
Service Mesh - Kilometer 30 im Microservices-Marathon
Service Mesh - Kilometer 30 im Microservices-MarathonService Mesh - Kilometer 30 im Microservices-Marathon
Service Mesh - Kilometer 30 im Microservices-Marathon
Michael Hofmann
 
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderenAPI-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
Michael Hofmann
 
Microprofile.io - Cloud Native mit Java EE
Microprofile.io - Cloud Native mit Java EEMicroprofile.io - Cloud Native mit Java EE
Microprofile.io - Cloud Native mit Java EE
Michael Hofmann
 
Microservices mit Java EE - am Beispiel von IBM Liberty
Microservices mit Java EE - am Beispiel von IBM LibertyMicroservices mit Java EE - am Beispiel von IBM Liberty
Microservices mit Java EE - am Beispiel von IBM Liberty
Michael Hofmann
 

More from Michael Hofmann (13)

Service Specific AuthZ In The Cloud Infrastructure
Service Specific AuthZ In The Cloud InfrastructureService Specific AuthZ In The Cloud Infrastructure
Service Specific AuthZ In The Cloud Infrastructure
 
New Ways To Production - Stress-Free Evolution Of Your Cloud Applications
New Ways To Production - Stress-Free Evolution Of Your Cloud ApplicationsNew Ways To Production - Stress-Free Evolution Of Your Cloud Applications
New Ways To Production - Stress-Free Evolution Of Your Cloud Applications
 
Developer Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve ParityDeveloper Experience Cloud Native - Become Efficient and Achieve Parity
Developer Experience Cloud Native - Become Efficient and Achieve Parity
 
Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?
 
Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?Service Mesh vs. Frameworks: Where to put the resilience?
Service Mesh vs. Frameworks: Where to put the resilience?
 
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
Developer Experience Cloud Native - From Code Gen to Git Commit without a CI/...
 
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
Servicierung von Monolithen - Der Weg zu neuen Technologien bis hin zum Servi...
 
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
Service Mesh mit Istio und MicroProfile - eine harmonische Kombination?
 
Service Mesh - kilometer 30 in a microservice marathon
Service Mesh - kilometer 30 in a microservice marathonService Mesh - kilometer 30 in a microservice marathon
Service Mesh - kilometer 30 in a microservice marathon
 
Service Mesh - Kilometer 30 im Microservices-Marathon
Service Mesh - Kilometer 30 im Microservices-MarathonService Mesh - Kilometer 30 im Microservices-Marathon
Service Mesh - Kilometer 30 im Microservices-Marathon
 
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderenAPI-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
API-Economy bei Financial Services – Kein Stein bleibt auf dem anderen
 
Microprofile.io - Cloud Native mit Java EE
Microprofile.io - Cloud Native mit Java EEMicroprofile.io - Cloud Native mit Java EE
Microprofile.io - Cloud Native mit Java EE
 
Microservices mit Java EE - am Beispiel von IBM Liberty
Microservices mit Java EE - am Beispiel von IBM LibertyMicroservices mit Java EE - am Beispiel von IBM Liberty
Microservices mit Java EE - am Beispiel von IBM Liberty
 

Recently uploaded

Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Envertis Software Solutions
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 

Recently uploaded (20)

Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 

The Easy Way to Secure Microservices

  • 1. The Easy Way To Secure Microservices Michael Hofmann Hofmann IT-Consulting info@hofmann-itconsulting.de https://hofmann-itconsulting.de
  • 2. Microservices and Security ● High number of services ● Every service has to be secured ● The more services the higher the risk of security breaches ● New vulnerabilities (CVE) must be fixed timely in every service ● Malicious actor has more endpoints to exploit
  • 3. Consequence: Zero Trust ● Do not trust anyone or service, even inside a trust zone ● Every request has to be authenticated, authorized and secured (TLS) ● JWT: E2E Token or TokenExchangeService ● On (every) multiple network layers
  • 4. Securing Microservices ● AuthN and AuthZ on every request ● TLS for every communication between services – Certificate management for many services – High degree of automation necessary – Missing automation: TLS termination on Ingress, no TLS inside K8S cluster (typical) ● Is there a one size fits all solution?
  • 5. OWASP (Open Web Application Security Project) ● Defense in Depth (Layered Defense) ● Fail Safe ● Least Privilege ● Separation of Duties ● Economy of Mechanism (Keep it Simple, Stupid KISS) ● Complete Mediation https://github.com/OWASP/DevGuide/blob/master/02-Design/01-Principles%20of%20Security%20Engineering.md ● Open Design ● Least Common Mechanism ● Psychological acceptability ● Weakest Link ● Leveraging Existing Components
  • 9. Istio’s Security Statements ● Security by default: no changes needed to application code and infrastructure ● Defense in depth: integrate with existing security systems to provide multiple layers of defense ● Zero-trust network: build security solutions on distrusted networks ● Authorization and Audit Tools (AAA Tools)
  • 10. TLS Termination apiVersion: v1 kind: Secret metadata: name: mytls-credential type: kubernetes.io/tls data: tls.crt: | XYZ... tls.key: | ABc... apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: mygateway spec: selector: istio: ingressgateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: mytls-credential hosts: - myapp.mycompany.de Nearly full functionality of API Gateway with Istio
  • 11. Entire Mesh mTLS apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: istio-system #entire mesh spec: mtls: mode: STRICT #PERMISSIVE Rotating certificate every 24h Source: istio.io
  • 12. NetworkPolicy ● Additional Network providers: Antrea, Canico, Cilium, ... ● NetworkPolicy for K8S on Layer 3 and 4 ● Istio (mainly) operates on Layer 7 ● According to OWASP: Defense in Depth
  • 13. NetworkPolicy apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: access-myapp namespace: my-namespace spec: podSelector: matchLabels: app: myapp ingress: - from: - podSelector: matchLabels: istio: ingressgateway apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-ingress namespace: my-namespace spec: podSelector: {} policyTypes: - Ingress
  • 16. AuthN ● Can be applied to every other workload apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: ingress-idp namespace: istio-system spec: selector: matchLabels: istio: ingressgateway jwtRules: - issuer: "my-issuer" jwksUri: https://idp.mycompany.de/.well-known/jwks.json ● JWT issued by specified IDP ● Multiple issuers possible ● Applied to Istio ingress gateway
  • 17. AuthZ ● Request without JWT has no authentication identity but is allowed ● Allow-nothing rule for complete mesh ● Applied in root namespace (istio-system) apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-nothing namespace: istio-system spec: #action defaults to ALLOW if not specified {}
  • 18. AuthZ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: my-app namespace: my-namespace spec: selector: matchLabels: app: my-app action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/ns-xyz/sa/my-partner-app"] - source: namespaces: ["ns-abc", “ns-def”] to: - operation: methods: ["GET"] paths: ["/info*"] - operation: methods: ["POST"] paths: ["/data"] when: - key: request.auth.claims[iss] values: ["https://idp.my-company.de"]
  • 19. AuthZ ● AuthorizationPolicy precedence ● Rules can be very fine grained ● Multiple combinations can be possible ● be aware of complexity! (kiss)
  • 20. AuthZ Customized apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: external-authz namespace: my-namespace spec: selector: matchLabels: app: my-app action: CUSTOM provider: name: my-provider rules: - to: - operation: paths: ["/data",”/api”] ● Provider must be defined in mesh config ● Can be applied on every workload ● HTTP Status: 200, 403 ● Header transformations extensionProviders: - name: "my-provider" envoyExtAuthzHttp: service: "my-provider.foo.svc.cluster.local" port: "8000" includeHeadersInCheck: ["authorization", "cookie"] headersToUpstreamOnAllow: ["authorization", "new-header"] headersToDownstreamOnDeny: ["content-type", "deny-header"]
  • 21. Audit ● Current only Stackdriver apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: namespace: my-namespace name: audit-my-app spec: selector: matchLabels: app: my-app action: AUDIT rules: - to: - operation: methods: [”POST”,”PUT”,”DELETE”] paths: ["/data/*"]
  • 22. Final
  • 23. Rules Summary Functionality Rules TLS termination (gateway) Gateway and Secret mTLS PeerAuthentication Network Segmentation NetworkPolicy default-deny-ingress one per workload Authentication RequestAuthentication Authorization AuthorizationPolicy allow-nothing one per workload
  • 24. AuthZ in MicroProfile @LoginConfig(authMethod = "MP-JWT", realmName = "MY-REALM") @DeclareRoles("edit-role, select-role") @ApplicationPath("/") public class MyApplication extends Application { } @Path("/myendpoint") @DenyAll public class MyEndpoint { @Inject private JsonWebToken jwt; @Resource Principal principal; @RolesAllowed("edit-role") @POST ... } ● MicroProfile MP-JWT Spec ● Roles mapping on JWT claim: groups ● Validate against IDP
  • 25. Summary ● Establish security step-by-step: Starting point: only 6 rules necessary ● Only 1 rule for mTLS in whole cluster including certificate rotation ● JWT validation (everywhere) ● Fine grained authZ control by infrastructure (entry-point, every service): KISS ● Customizable authZ control ● Audit (only stackdriver) ● Defense in depth (3): NetworkPolicy, AuthorizationPolicy, authZ in service ● Zero Trust