1 Welcome to microservices security

 

This chapter covers

  • Why microservices security is challenging
  • The principles and key elements of a microservices security design
  • How to secure a microservices deployment at the edge with an API gateway
  • Securing service-to-service communication in a microservices deployment with mutual Transport Layer Security (mTLS) and JSON Web Token (JWT)

“Fail fast, fail often” is a mantra in Silicon Valley. Not everyone agrees, but we love it! It’s an invitation to experiment with new things, accept failures, fix problems, and try again. Not everything in ink looks pretty in practice. Fail fast, fail often is hype only unless the organizational leadership, the culture, and the technology are there and thrive. We find microservices to be a key enabler for fail fast, fail often. Microservices architecture has gone beyond technology and architectural principles to become a culture. Netflix, Amazon, Lyft, Uber, and eBay are the front-runners in building a culture behind microservices. Neither the architecture nor the technology behind microservices but the discipline practiced in an organizational culture lets your team build stable products, deploy them in a production environment with less hassle, and introduce frequent changes with no negative impact on the overall system. Speed to production and evolvability are the two key outcomes of microservices architecture.

1.1   How security works in a monolithic application

 
 
 
 

1.2   Challenges of securing microservices

 
 
 
 

1.2.1   The broader the attack surface, the higher the risk of attack

 

1.2.2   Distributed security screening may result in poor performance

 
 
 

1.2.3   Deployment complexities make bootstrapping trust among microservices a nightmare

 
 

1.2.4   Requests which span across multiple microservices are harder to trace

 
 
 
 

1.2.5   Immutability of containers challenges how you maintain service credentials and access-control policies

 
 
 
 

1.2.6   The distributed nature of microservices makes sharing user context harder

 
 
 

1.2.7   Polyglot architecture demands more security expertise on each development team

 
 
 

1.3   Key security fundamentals

 
 

1.3.1   Authentication protects your system against spoofing

 
 
 

1.3.2   Integrity protects your system from data tampering

 
 
 

1.3.3   Nonrepudiation: Do it once, and you own it forever

 
 
 
 

1.3.4   Confidentiality protects your systems from unintended information disclosure

 
 
 

1.3.5   Availability: Keep the system running, no matter what

 
 

1.3.6   Authorization: Nothing more than you’re supposed to do

 
 
 

1.4   Edge security

 

1.4.1   The role of an API gateway in a microservices deployment

 
 

1.4.2   Authentication at the edge

 
 

1.4.3   Authorization at the edge

 

1.4.4   Passing client/end-user context to downstream microservices

 
 
 

1.5   Securing service-to-service communication

 
 
 
 

1.5.1   Service-to-service authentication

 
 

1.5.2   Service-level authorization

 
 
 

1.5.3   Propagating user context between microservices

 
 

1.5.4   Crossing trust boundaries

 

1.6   Summary

 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest