The software industry has accelerated its shift towards microservices and has fully embraced distributed, cloud native apps. Because existing application security models were designed for a different era, they are woefully inadequate, exposing both consumers and companies. By (mis)matching where software is going with what application security has been, and as evidenced by several recent high-profile leaks, we are all at risk.
Finding their roots in the 90s, “microservices are a more concrete and modern interpretation of service-oriented architectures (SOA) used to build distributed software systems. Like in SOA, [microservices] are processes that communicate with each other over the network in order to fulfill a goal.” [source] The 90s marked the dawn of the distributed application era as it exists today. Precisely (and not surprisingly), it was also the time that defined data center security with the ubiquitous use of firewalls, ACLs, NAT, etc.
Given distributed applications’ history and coexistence with erstwhile proven security methods, the central question is what has changed recently to render these applications less secure and more exposed? That change is taking place along three dimensions: feature velocity, scalability, and application topology.
Microservices and DevOps have enabled companies to be faster and more agile; this means more features in less time and the ultimate ability to outrun the competition. One of the “features” of cloud-native applications is the ability to scale quickly.
Applications are at the core of business transformation. The speed of innovation is driving ever increasing need for new development methodologies, application architecture and cloud native infrastructure. The traditional approaches to developing monolithic applications hamper feature velocity. With monoliths, application logic is wrapped into a single codebase increasing test and deployment scope for the smallest of changes. Microservice-based application development allows the disaggregation of a monolith into a set of loosely coupled and independent functions, enabling developers to work in small teams and iterate on features at a higher velocity. For DevOps teams, adoption of cloud infrastructure and cloud-native capabilities reduce the burden of managing infrastructure through automation and treating infrastructure-as-code. The adoption of cloud-managed services such as managed database and machine learning gives developers the freedom to innovate in the application business logic. Coupling microservices with adoption of cloud infrastructure and cloud managed offerings is a recipe for high-velocity application development. But, what about compliance and security considerations as enterprises undertake this transformation?
Moving to a microservices framework and adoption of cloud-native services introduces new security considerations for developers/line of business owners and security teams. An application that was once deployed as a monolith in a virtual machine is now deployed as a distributed system on a combination of virtual machines or containers and very likely on infrastructure outside of the traditional enterprise security perimeter. Because APIs are the communications method between microservices, new access control measures and compliance enforcement points are needed.
For more on the best practices of securing microservices, read our whitepaper on Security for Microservices here.