1 Microservices security landscape


This chapter covers

  • Why microservices security is challenging
  • Principles and key elements of a microservices security design
  • Edge security and the role of an API gateway
  • Patterns and practices in securing service-to-service communications

Fail fast, fail often is a mantra in Silicon Valley. Not everyone agrees, but we love it! It’s an invitation to experiment with new things, accept failures, fix problems, and try again. Not everything in ink looks pretty in practice. Fail fast, fail often is only hype unless the organizational leadership, the culture, and the technology are present and thriving.

We find microservices to be a key enabler for fail fast, fail often. Microservices architecture has gone beyond technology and architectural principles to become a culture. Netflix, Amazon, Lyft, Uber, and eBay are the front-runners in building that culture. Neither the architecture nor the technology behind microservices--but the discipline practiced in an organizational culture--lets your team build stable products, deploy them in a production environment with less hassle, and introduce frequent changes with no negative impact on the overall system.

Speed to production and evolvability are the two key outcomes of microservices architecture. International Data Corporation (IDC) has predicted that by 2022, 90% of all apps will feature microservices architectures that improve the ability to design, debug, update, and leverage third-party code.1

1.1 How security works in a monolithic application

1.2 Challenges of securing microservices

1.2.1 The broader the attack surface, the higher the risk of attack

1.2.2 Distributed security screening may result in poor performance

1.2.3 Deployment complexities make bootstrapping trust among microservices a nightmare

1.2.4 Requests spanning multiple microservices are harder to trace

1.2.5 Immutability of containers challenges how you maintain service credentials and access-control policies

1.2.6 The distributed nature of microservices makes sharing user context harder

1.2.7 Polyglot architecture demands more security expertise on each development team

1.3 Key security fundamentals

1.3.1 Authentication protects your system against spoofing

1.3.2 Integrity protects your system from data tampering

1.3.3 Nonrepudiation: Do it once, and you own it forever

1.3.4 Confidentiality protects your systems from unintended information disclosure

1.3.5 Availability: Keep the system running, no matter what