In this article, we will take a look at the practices for Microservices Security.
1. Introduction
Microservices architecture is based on loosely coupled principles. The loosely coupled principle helps in designing services for application components with lesser dependencies. The Microservices application has multiple units. A single unit can run alone and use APIs for connectivity. API gateways help in the authentication of services. Microservice security architecture needs to be created based on best practices that are related to the basic principles.
2. Microservices Security: Best Practices
In a decentralized microservices development project, multiple teams are creating microservices simultaneously. Application security cannot be designed easily. Security-wise, the microservices application has weak areas such as access points and authentication & authorization security points. The key areas for microservices security are managing user-profiles and payment processing use cases.
2.1 Authentication
Multifactor authentication is used for authentication in web and mobile applications. Identity verification is based on user credentials and other forms of authentication such as OTP and biometrics. API gateway pattern helps in providing a single entry point and directs the traffic to different microservices.
2.2 Authorization
For authorization, OAuth 2.0 is used for user identity and authorizing the access of resources from the resource server. User tokens are issued for resource access. These tokens will have expiry time. New tokens are issued after the expiry time. The following security patterns are used for authorization:
- Resource Server
- Resource Owner
- Authorization Server
- Client
2.3 Data Security
In microservices design, sensitive data is encrypted before storing it into the datastore. The encryption algorithms can be based on RSA and Blowfish. Personal identifying information (PII) needs to be secured before storing it into the database. This information will be masked before persisting into files, logs, and records. The encryption helps in protecting the PII data which exists in the logs and application memory in the server.
2.4 Network Security
Microservices are designed for protection from Denial of Service attack. Denial of Service attack is based on volumetric flooding of the service messages. These attacks cause web application crashes and failure. A limit is set on the number of the API requests in a given period of time. If this limit exceeds, the access to the API will be blocked for a configured time interval. The payload for the attacks need to be analyzed and the API calls need to be rate limited.
2.5 Deployment
The microservices deployment architecture will have a corporate zone, hybrid zone, demilitarized zone, and ethernet layers. The corporate zone layer allows for private traffic. The hybrid zone layer has the deployments which are limited. A demilitarized zone allows traffic coming from the internet. The Ethernet zone layer allows access to the application to the users who are accessing outside the data center. Network Segmentation helps in separating traffic and providing access to the content from different zones.
2.6 Patterns
Microservices security is designed based on the following patterns:
- These microservices need to be Secure by Design
- Dependencies need to be scanned
- HTTPS needs to be used for securing
- GraphQL APIs
- RSocket Endpoints
- Access and Identity Tokens are used which are generated by
- Authorization Servers
- PASETO Token server
- Sensitive information is encrypted and information is protected.
- Delivery pipelines are used for verifying security.
- Security attacks can be slowed down.
- Docker Rootless Mode is used for microservices security
- Time-Based Security is recommended to avoid security attacks
- Scan Docker and Kubernetes Configuration are suggested to detect and protect from Vulnerabilities
- Cloud and Cluster specific Security best practices are followed for microservices design.
2.7 Additional Best Practices for Microservices Security
Microservices best practices are listed below which are related to the other areas:
- You should use defense in depth pattern to prioritize key services. The defence in-depth pattern is related to having different layers of security defense for your application.
- DevSecOps approach helps in involving automated code scanning and constant app monitoring to prevent any unwanted access. It helps in improving DevOps with a security framework.
- Microservices API needs to be designed as integrated, available, reliable, and confidential components.
- Microservices need to be targeted and designed for user needs.
- They need to be protected by standards and protocols
- Services are designed to be locked for access and invocation.
- They need to be elastic to handle high traffic.
- You need to have a centralized software for security and monitoring.
- For encryption, you can use opensource or commercial software instead of writing code from scratch.
- You should have automatic security updates to control the updates.
- Distributed tracing is used for finding the failures and the root causes of failure.
- Sessions need to be managed while securing the microservices.
- application logs need to be aggregated for security event correlation.
3. Summary
New approaches are emerging to handle new security attacks and challenges. RASP is a good example of a bleeding-edge security framework. Microservices need to be protected by using security best practices.
You can find more articles about the microservices security practices from this site.
You can also find more articles about Microservices here.
