Despite the fact that microservices have already been trendy for a couple years, many companies are only just now opening up the advantages of this type of software design architecture. Higher levels of service independence and fast deployment aren’t the only benefits that can be acquired through usage of microservices.
Along with these numerous benefits, there are still some concerns. One of the most important ones is microservices security. You can’t use the same tools you use to protect monolithic architecture – the more containers that are present in the application, the stronger is the attack. In this light, there are still plenty of unanswered questions about effectiveness of this development approach.
In this article, we will tell you more about the security of microservices in general, as well as reliable practices that can be used for their protection.
- What is Microservices Security?
- Principles of Microservices Security
- Best Practices of Microservices Security
What is Microservices Security?
First of all, what are the microservices? According to the National Institute of Standards and Technology (NIST), they are loosely coupled services appearing due to architectural decomposition of components of an application. If we look into any web-based app, its network represents a large security roadblock. But with API-based microservices that use open ports, there is even more room for attacks.
Most microservices use API gateways, which makes authentication even more complicated. However, their individual APIs allow them to be reconfigured separately. The same goes for updates, which is a benefit as it prevents any interruption in the application while it’s being run on several microservices. As one of the cybersecurity measures, developers put a distributed system into action. Its main drawback is significant complexity.
Generally, microservice security is based on particular principles. Understanding them will take you one step closer to completing the task of protecting your architecture.
Principles of Microservices Security
To begin with, you might want to make sure that all your microservices are standardized, well-defined, and fully backed up by documentation. The best way to achieve this is through using APIs. APIs in turn must be integrated, available, reliable, and confidential.
With microservice architecture there are four main areas to think about when it comes to implementing advanced security measures – design, implementation, deployment, and management. Each one of these areas should align with several security principles that are mentioned below:
- Targeted – caters only to services that are needed by the user at this particular time;
- Standardized – protection by standards and protocols;
- Locked – web-based apps are only available to users after they type their credentials (for example, like on Netflix);
- Multi-keyed – only after entering at least two security credentials can you access the website; this is a part of multiple layers security;
- Elastic – having advanced enough services to handle high traffic demands.
By following these several principles of microservices security, you can get better results in protecting the processes from being interrupted by any undesired attacks. To make sure your bases are covered, here are seven tips for effectively securing microservices.
Best Practices of Microservices Security
It would be nice if there were a simple algorithm on how to secure a microservice. Unfortunately, there is no such a thing. There are, however, some practices that can be used as a guide on the way to securing microservices.
1. Use TLS-protocols for all APIs
Any application consisting of microservices requires an API as a key. If there are many independent API services, this software might require some extra tools to manage those APIs.
So, what you definitely need is an access control. This will provide you with secure authentication and authorization. There are some commonly used servers that allow administrators and developers to attain tokens for API authentication.
You can also use third-layer-security protocols for all the APIs to make sure that the system is protected from possible attacks. All APIs that might be exposed must have an HTTPS-certificates. Another essential element is to encrypt all the communication between client and server with transport layer security (TLS).
2. Profile All of Your APIs Due To Their Deployment Zones
Malicious software, such as bots, often aims at exposing the capabilities of the service to much more recipients than required. Technically, only authorized users are supposed to have access to them. To avoid unnecessary exposure, developers can label all the APIs in use based on who should be able to access them.
The API topology goes as follows:
- Corporate Zone – private traffic;
- Hybrid Zone – limited deployments can be recorded at the data center;
- DMZ – a zone for traffic originating from the Internet;
- Ethernet – the app is exposed to those outside the data center.
There is also a process called network segmentation. This allows developers to perform segregation of traffic and demonstrate different content to different user segments.
3. Use OpenID or OAuth 2.0
The main task of these tools is to allow a developer to process user tokens. OAuth 2.0 protocol significantly simplifies the process of securing microservices, even though it still remains a highly challenging task.
First of all, OAuth 2.0 is a good security concept for microservices. It is an authorization framework that allows users to obtain admittance to a resource from the resource server. This is done using tokens.
There are four different roles that OAuth 2.0 can play in microservices security patterns: resource server, resource owner, authorization server, and client. These tokens are responsible for access to the resource prior to its expiry time.
There are also Refresh Tokens that are responsible for requesting new access after the original token has expired.
4. Don’t Show Sensitive Data As Plain Text
Plain text is easy to read and copy by people and machines. While working on securing the PII – personally identifying information – you need to make sure that it is not being displayed as a plain text. All the passwords and usernames should be masked during the storing in logs or records.
However, adding extra encryption above TLS/HTTP won’t add protection for traffic traveling through the wire. It can only help a little bit at the point where TLS terminates, so it can protect sensitive data (such as passwords or credit card numbers) from accidental dumping into a request log.
Extra encryption might help you protect data against those attacks that aim at accessing the log data. But it will not help with those which try accessing the memory of the application servers or the main data storage.
5. Use Multi-factor Authentication
When a user comes to the website and you need to authorize him on the front-end, it is safer to use a multi-factor authentication system. Most apps use two-factor authentication, which requires a username and password as well as another form of identity verification.
By using multi-factor authentication, you offer your users better protection by default as some aspects are harder to steal than others. For instance, using biometrics for authentication takes microservice security on a whole new level.
6. Protect Public APIs From Denial-Of-Service-Attacks
It’s not a rare situation for applications to get sabotaged by DoS-attacks. Those are attempts of sending an overwhelming number of service messages with the aim of causing website failure. Such attacks can present themselves in many different shapes. They can also target the entire platform and network stack. Most the DoS attacks concentrate on volumetric flooding of the network pipe.
There is a way to prevent huge numbers of API requests causing the denial-of-service attack or other problems with API services. You need to set a limit on how many requests in a given period of time can be sent to each API.
If the number exceeds the limit, you can block the access from a particular API, at least for some reasonable interval. Also, make sure to analyze the payload for threats. The incoming calls from a gateway API would also have to be rate-limited.
7. Use Encryption Before Persisting The Data
We’ve already discussed additional encryption of sensitive data instead of showing it anywhere as a plain text. Another thing that is highly recommended is that you encrypt the user data before persisting it.
You can also go for some strong cryptographic algorithms such as RSA 2048+ or Blowfish. They make data transmission much safer. Remember to make sure that the algorithms are compliant with industry standards.
As you can see from above, microservices security requires non-trivial or ready-made solutions. We described some of the best practices that might help you with the protection of your applications.
However, remember that –
When it comes to security, there is always room and demand for innovation. It’s always better to use cutting edge tools than sticking with old-fashioned approaches and hoping for the best.
If you would like to learn more about microservices security or need help with security issues, we will be glad to assist. Please contact us using a form on our website. We know how small details work for the bigger picture and how microservices security architecture can be utilized at its best!