securing microservices
TRANSCRIPT
![Page 1: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/1.jpg)
![Page 2: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/2.jpg)
SECURING MICROSERVICESPrabath Siriwardena, WSO2.Twitter: @prabath Blog: http://facilelogin.com
![Page 3: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/3.jpg)
MICROSERVICES
![Page 4: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/4.jpg)
4
SOA TO MICROSERVICES• Service Oriented Architecture (SOA) is a design approach where multiple services collaborate to provide some end set of capabilities.
• A service is an isolated process — and the inter-service communication happens over the network
• Microservices is the SOA done right!• Provides focused, scoped and modular approach for application design.
![Page 5: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/5.jpg)
5
RECOMMENDED READING• Building Microservices by Sam Newman, http://www.amazon.com/dp/1491950358/
• Summary of the book: http://bit.ly/1sHXJMq
![Page 6: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/6.jpg)
6
KEY PRINCIPALS• Model around business concepts• Adopt the culture of automation• Hide internal implementation details• Decentralize all the things• Independently deployable• Isolate failures• Highly observable
![Page 7: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/7.jpg)
7
MONOLITHIC VS. MICROSERVICES
![Page 8: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/8.jpg)
8
CHALLENGES• Larger number of service-to-service interactions• Wider attack surface• Immutable servers• Service per host deployment model• Small team ownership
![Page 9: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/9.jpg)
SERVICE TO SERVICE COMMUNICATION
![Page 10: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/10.jpg)
10
JSON WEB TOKEN (JWT)
![Page 11: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/11.jpg)
11
JSON WEB TOKEN (JWT)• JWT defines a container to transport data between interested parties
• A JWT can be used to• Propagate one’s identity between interested parties• Propagate user entitlements between interested parties• Transfer data securely between interested parties over a
unsecured channel• Assert one’s identity, given that the recipient of the JWT trusts the
asserting party.
![Page 12: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/12.jpg)
12
JSON WEB TOKEN (JWT)• A signed JWT is known as a JWS (JSON Web Signature)
• An encrypted JWT is known as a JWE (JSON Web Encryption)
![Page 13: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/13.jpg)
13
CLIENT CERTIFICATES• TLS Mutual Authentication• Trusted Sub-system Pattern• Certificate Revocation
• CRL• OCSP• OCSP stapling• OCSP stapling required
![Page 14: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/14.jpg)
14
SHORT-LIVED CERTIFICATES• Identical to a regular certificate, except that the validity period is a short span of time such as a few days.
• Used by Netflix• Addresses challenges with certificate revocation
![Page 15: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/15.jpg)
15
SHORT-LIVED CERTIFICATES @ NETFLIX
![Page 16: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/16.jpg)
16
XACML• Policy language, component architecture, request/response protocol
• The de facto standard for fine-grained access control• JSON profile for XACML
![Page 17: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/17.jpg)
17
XACML COMPONENT ARCHITECTURE
![Page 18: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/18.jpg)
18
ACCESS CONTROL
![Page 19: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/19.jpg)
19
ACCESS CONTROL (IN-PROCESS-PDP)
![Page 20: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/20.jpg)
THE EDGE SECURITY
![Page 21: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/21.jpg)
21
API GATEWAY PATTERN
![Page 22: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/22.jpg)
22
OAUTH 2.0• Framework for access delegation• Doing something on behalf of someone else, preserving the identity of both
• Self-contained access tokens
![Page 23: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/23.jpg)
23
OAUTH 2.0
![Page 24: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/24.jpg)
24
EDGE SECURITY WITH OAUTH 2.0 / OIDC
![Page 25: Securing Microservices](https://reader036.vdocuments.site/reader036/viewer/2022062503/5876fde11a28abf3398b6b5d/html5/thumbnails/25.jpg)
25