You are here

How to Establish a Reliable Microservice Security Strategy

Microservices promise in many cases much greater scalability than standard monolithic apps. But there’s always a catch and in the case of microservices it’s that managing security is more complicated. Scott Matteson over at TechRepublic sat down with Owen Garrett, head of products at NGINX, to learn more about microservices and its security best practices.

Owen starts by explaining that microservices came to be out of a need for a decoupled app architecture that’s distributed, scalable and fault tolerant. They fulfill this need because they’re simply a bunch of small apps communicating over a network. He emphasizes that microservices can be deployed anywhere, be it in the cloud, on-premise or some hybrid of the two.

Security is harder for microservices because there are more points of attack than for a standard app and it’s more difficult to apply best practices across so many components. The danger is always that one service might be compromised that could be used as a beachhead to attack others. 

Owen says that you have to secure client and inter-service traffic, since services can make big changes to other services and these days with Javascript frameworks doing much of the heavy lifting on the frontend client APIs can be exposed to sensitive data. He recommends starting any security strategy by doing an audit of what data services and clients can access or change. Then apply authentication for all these requests (even anonymous ones) and rate limit requests. After that, add logging so you’ll have an

audit trail if there’s a breach. 

The great source of security risk is the internal traffic between services. Owen points to recent examples, such as the NSA’s intercepting traffic between Google data centers and the HTTPoxy vulnerability that allowed hackers to route internal requests to any server they liked. These problems are specific to microservices. They’re just more vulnerable to them.

Owen lists a number of strategy points for reducing your security risks. First off, use an API gateway such as intelligent reverse proxy so you can log and rate limit requests. Next, encrypt all traffic with TLS and authenticate clients with OAuth and SSL. Finally, use an internal PKI (public key infrastructure) so you can easily revoke a service’s access if it becomes compromised. 

He finishes by recommending regular use of intrusion tools and request fuzzers, which involve sending a bunch of random data, to see if the system can be caused to fail. 

Be sure to read the next Microservices article: Getting Started with Google Cloud Functions

Original Article

How to establish strong microservice security using SSL, TLS and API gateways