Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[WSO2 Integration Summit New York 2019] Microservices Security Landscape

38 views

Published on

The microservices architecture expands the attack surface with multiple microservices communicating with each other remotely. It’s a common principle in security that the strength of a given system is only as strong as the strength of its weakest link. Unlike in any other system design, the repercussions will be extremely highly if we do not get right the security in a microservices design.

The key driving force behind microservices architecture is the speed to production (or the time to market). One should be able to introduce a change to a service, test it and instantly deploy it into production. A proper secure development lifecycle and test automation strategy needs to be there to make sure that we do not introduce security vulnerabilities at the code level. We need to have a proper plan for static code analysis and dynamic testing — and most importantly those tests should be part of the continuous delivery (CD) process. Any vulnerability should be identified early in the development lifecycle and should have shorter feedback cycles. There are multiple microservices deployment patterns — but the most commonly used one is service-per-host model. The host does not necessarily mean a physical machine — most probably it would be a container (Docker). The DevOps security needs to worry about container-level security. How do we isolate a container from other containers and what level of isolation we have between the container and the host operating system? How do we authenticate and access control users to microservices and how do we secure the communication channels between microservices? All fall under application level security.

This talk addresses multiple perspectives in securing microservices: SDLC, DevOps, and application-level security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

[WSO2 Integration Summit New York 2019] Microservices Security Landscape

  1. 1. INTEGRATION SUMMIT 2019 Microservices Security Landscape Prabath Siriwardena Vice President - Security Architecture, WSO2 INTEGRATION
  2. 2. INTEGRATION SUMMIT 2019 Monolithic
  3. 3. INTEGRATION SUMMIT 2019 Microservices
  4. 4. INTEGRATION SUMMIT 2019 Broader attack surface Performance Deployment complexities Observability Sharing user context Polyglot architecture Challenges
  5. 5. INTEGRATION SUMMIT 2019 API Gateway Pattern
  6. 6. INTEGRATION SUMMIT 2019 Service to Service Security Patterns ● Trust the Network ● TLS Mutual Authentication ● JWT (JSON Web Token)
  7. 7. INTEGRATION SUMMIT 2019 Trust The Network
  8. 8. INTEGRATION SUMMIT 2019 Shared JWT + mTLS
  9. 9. INTEGRATION SUMMIT 2019 Nested JWT
  10. 10. INTEGRATION SUMMIT 2019 JWT with Token Exchange
  11. 11. INTEGRATION SUMMIT 2019 Policy Evaluation (Central Pdp)
  12. 12. INTEGRATION SUMMIT 2019 Policy Evaluation (Embedded Pdp)
  13. 13. INTEGRATION SUMMIT 2019 THANK YOU wso2.com
  14. 14. INTEGRATION SUMMIT 2019 Spiffe / Spire
  15. 15. INTEGRATION SUMMIT 2019 Spiffe + OAuth 2.0
  16. 16. INTEGRATION SUMMIT 2019 Service Mesh ● A decentralized application networking infrastructure between the services that provides, resiliency, security, observability, and routing control. ● Comprised of a control plane and a data plane.
  17. 17. INTEGRATION SUMMIT 2019 Istio
  18. 18. INTEGRATION SUMMIT 2019 eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc4YjRjZjIzNjU2ZGMzOTUzNjRmMWI2YzAyOTA3NjkxZjJjZGZmZ TEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTAyMjUxMTU4OTIwMTQ3 NzMyIiwiYXpwIjoiODI1MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21ucDRzcXY3ZXJodTEyMTFz LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJwcmFiYXRoQHdzbzIuY29tIiwiYX RfaGFzaCI6InpmODZ2TnVsc0xCOGdGYXFSd2R6WWciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYX VkIjoiODI1MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21ucDRzcXY3ZXJodTEyMTFzLmFwcHMu Z29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaGQiOiJ3c28yLmNvbSIsImlhdCI6MTQwMTkwODI3MSwiZX hwIjoxNDAxOTEyMTcxfQ.TVKv-pdyvk2gW8sGsCbsnkqsrS0T-H00xnY6ETkIfgIxfotvFn5IwKm3x yBMpy0FFe0Rb5Ht8AEJV6PdWyxz8rMgX2HROWqSo_RfEfUpBb4iOsq4W28KftW5H0IA44Vm NZ6zU4YTqPSt4TPhyFC9fP2D_Hg7JQozpQRUfbWTJI JWT (Json Web Token)
  19. 19. INTEGRATION SUMMIT 2019 Spiffe / Spire ● Secure Production Identity Framework for Everyone. ● SPIFFE tries to solve the trust bootstrap problem in a platform agnostic manner. ● SPIFFE provides an identity to each workload in a microservices deployment, which is known as the SPIFFE ID. E.g.: spiffe://acme.com/billing/payments
  20. 20. INTEGRATION SUMMIT 2019 Open Policy Agent (Opa) ● A lightweight general-purpose policy engine that can be co-located with your service. ● Policies are written in Rego ● Can integrate OPA as a sidecar, host-level daemon, or library. ● Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka ● https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa/ ● Netflix is an early adopter of OPA
  21. 21. INTEGRATION SUMMIT 2019 Cross Domain

×