Microservices promise in many cases much greater scalability than standard monolithic apps. But there’s always a catch and in the case of microservices it’s that managing security is more complicated. Scott Matteson over at TechRepublic sat down with Owen Garrett, head of products at NGINX, to learn more about microservices and its security best practices.
Owen starts by explaining that microservices came to be out of a need for a decoupled app architecture that’s distributed, scalable and fault tolerant. They fulfill this need because they’re simply a bunch of small apps communicating over a network. He emphasizes that microservices can be deployed anywhere, be it in the cloud, on-premise or some hybrid of the two.
Security is harder for microservices because there are more points of attack than for a standard app and it’s more difficult to apply best practices across so many components. The danger is always that one service might be compromised that could be used as a beachhead to attack others.
audit trail if there’s a breach.
The great source of security risk is the internal traffic between services. Owen points to recent examples, such as the NSA’s intercepting traffic between Google data centers and the HTTPoxy vulnerability that allowed hackers to route internal requests to any server they liked. These problems are specific to microservices. They’re just more vulnerable to them.
Owen lists a number of strategy points for reducing your security risks. First off, use an API gateway such as intelligent reverse proxy so you can log and rate limit requests. Next, encrypt all traffic with TLS and authenticate clients with OAuth and SSL. Finally, use an internal PKI (public key infrastructure) so you can easily revoke a service’s access if it becomes compromised.
He finishes by recommending regular use of intrusion tools and request fuzzers, which involve sending a bunch of random data, to see if the system can be caused to fail.