1 Microservices security landscape
- Why microservices security is challenging
- The principles and key elements of a microservices security design
- Edge security and the role of an API gateway in securing a microservices deployment
- Patterns and practices in securing service-to-service communication in a microservices deployment
1.1 How security works in a monolithic application
1.2 Challenges of securing microservices
1.2.1 The broader the attack surface, the higher the risk of attack
1.2.2 Distributed security screening may result in poor performance
1.2.3 Deployment complexities make bootstrapping trust among microservices a nightmare
1.2.4 Requests which span across multiple microservices are harder to trace
1.2.5 Immutability of containers challenges how you maintain service credentials and access-control policies
1.2.6 The distributed nature of microservices makes sharing user context harder
1.2.7 Polyglot architecture demands more security expertise on each development
1.3 Key security fundamentals
1.3.1 Authentication protects your system against spoofing
1.3.2 Integrity protects your system from data tampering
1.3.3 Nonrepudiation: Do it once, and you own it forever
1.3.4 Confidentiality protects your systems from unintended information disclosure
Data in transit
1.3.5 Availability: Keep the system running, no matter what
1.3.6 Authorization: Nothing more than you’re supposed to do
1.4 Edge security
1.4.1 The role of an API gateway in a microservices deployment
1.4.2 Authentication at the edge
Certificate-based authentication
Oauth 2.0–based access delegation
1.4.3 Authorization at the edge
1.4.4 Passing client/end-user context to upstream microservices
1.5 Securing service-to-service communication
1.5.1 Service-to-service authentication
1.5.2 Service-level authorization
1.5.3 Propagating user context between microservices
1.5.4 Crossing trust boundaries