The adoption of microservices and cloud-native infrastructure requires a comprehensive solution that operates across multiple layers of the security stack and is built on strong identity for policy enforcement. Three core tenants define an effective microservice security solution –
There are three layers in the microservice security stack:
Service Identity or Application Identity is central to Authentication and enforcing Authorization between users, applications and microservice APIs. The more context available to identify a microservice, the stronger it makes authentication and authorization policies. Considerations for enhancing the identity of a service are as follows:
I. Leveraging vulnerability data from container image scans. This data may change over the life of a container and so does the contextual identity of the container.
II. Containers are most often auto-generated as part of a CI/CD pipeline and carry considerable metadata, such as the type of container (frontend or backend), the type of image it is running (Mongo, Redis) and perhaps some reference identifier back to the code commit that triggered the creation of this container. This metadata can become a multi-attribute identity. Identity paves the path for scalable encryption across all microservices. Mutual TLS is a popular encryption technique and part of the TLS negotiation process is to authenticate and authorize both ends of a microservice. The identity assigned to a microservice can now become an integral part of authorizing this TLS session. It is important to offload any Public Key Infrastructure logic from the microservice allowing developers to focus on their business logic.
Most microservice and cloud-native adoption projects start as small initiatives with specific scopes. There is always a brownfield deployment where microservices have dependencies on monoliths. The services can be hosted in both public and private cloud environments and use a number orchestration capabilities such as Kubernetes, EC2 Container Services or VMWare. A microservice security solution needs to operate in all of these environments.
For more on the best practices of securing microservices, read our whitepaper on Security for Microservices here.