Post on 03-Jul-2020
Microservices Security Landscape
Prabath Siriwardenaprabath@wso2.com | prabath@apache.org
ABOUT ME
2
▪ https://github.com/prabath/me | Twitter: prabath
Monolithic
Microservices
Challenges
● Broader attack surface● Performance● Deployment complexities● Observability● Sharing user context● Polyglot architecture
Gateway Pattern at the Edge
OAUTH 2.0
7
AUTHORIZATION CODE GRANT TYPE
8
Gateway Pattern at the Edge
Service to Service SecurityTrust the Network
Service to Service SecurityMutual TLS
Service to Service SecurityMutual TLS + Shared JWT
Service to Service SecurityMutual TLS + JWT (Token Exchange)
Service to Service SecurityMutual TLS + JWT (Proxy)
Service to Service SecurityData Plane
Service to Service SecurityControl Plane
Service to Service SecurityAuthorization: Embedded PDP / Call Home
AuthorizationOpen Policy Agent (OPA)
● A lightweight general-purpose policy engine that can be co-located with your service
● Policies are written in Rego ● Can integrate OPA as a sidecar, host-level daemon, or library● Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka
https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa/
● Netflix is an early adopter of OPA
Service Mesh
Service MeshIstio
Service MeshSPIFFE ~ Trust Bootstrap
Zero Trust Network Principles
● The network is hostile, do not trust it!● Zero Trust is not about making a system trusted, but instead about
eliminating trust on the network● IP addresses and location are no longer practical to establish
sufficient trust for network access
Zero Trust Network Practices● Keep security enforcement points as close as possible to the
resources● Avoid using bearer tokens● Follow least privilege principle● Do contextual access control and make access control decisions near
real-time● Automation● Distributed tracing and monitoring
End-to-End Flow