SECURING MICROSERVICESPrabath Siriwardena, WSO2.Twitter: @prabath Blog: http://facilelogin.com

MICROSERVICES

4

SOA TO MICROSERVICES• Service Oriented Architecture (SOA) is a design approach where multiple services collaborate to provide some end set of capabilities.

• A service is an isolated process — and the inter-service communication happens over the network

• Microservices is the SOA done right!• Provides focused, scoped and modular approach for application design.

5

RECOMMENDED READING• Building Microservices by Sam Newman, http://www.amazon.com/dp/1491950358/

• Summary of the book: http://bit.ly/1sHXJMq

6

KEY PRINCIPALS• Model around business concepts• Adopt the culture of automation• Hide internal implementation details• Decentralize all the things• Independently deployable• Isolate failures• Highly observable

7

MONOLITHIC VS. MICROSERVICES

8

CHALLENGES• Larger number of service-to-service interactions• Wider attack surface• Immutable servers• Service per host deployment model• Small team ownership

SERVICE TO SERVICE COMMUNICATION

10

JSON WEB TOKEN (JWT)

11

JSON WEB TOKEN (JWT)• JWT defines a container to transport data between interested parties

• A JWT can be used to• Propagate one’s identity between interested parties• Propagate user entitlements between interested parties• Transfer data securely between interested parties over a

unsecured channel• Assert one’s identity, given that the recipient of the JWT trusts the

asserting party.

12

JSON WEB TOKEN (JWT)• A signed JWT is known as a JWS (JSON Web Signature)

• An encrypted JWT is known as a JWE (JSON Web Encryption)

13

CLIENT CERTIFICATES• TLS Mutual Authentication• Trusted Sub-system Pattern• Certificate Revocation

• CRL• OCSP• OCSP stapling• OCSP stapling required

14

SHORT-LIVED CERTIFICATES• Identical to a regular certificate, except that the validity period is a short span of time such as a few days.

• Used by Netflix• Addresses challenges with certificate revocation

15

SHORT-LIVED CERTIFICATES @ NETFLIX

16

XACML• Policy language, component architecture, request/response protocol

• The de facto standard for fine-grained access control• JSON profile for XACML

17

XACML COMPONENT ARCHITECTURE

18

ACCESS CONTROL

19

ACCESS CONTROL (IN-PROCESS-PDP)

THE EDGE SECURITY

21

API GATEWAY PATTERN

22

OAUTH 2.0• Framework for access delegation• Doing something on behalf of someone else, preserving the identity of both

• Self-contained access tokens

23

OAUTH 2.0

24

EDGE SECURITY WITH OAUTH 2.0 / OIDC

25