Patterns and techniques for securing Microservices
Many new and existing systems are built using Microservices. As the number of deployed Microservices increases the complexity in security grows. The addition of multiple autonomous teams further increases the attack surface of a system as more services are pushed into production. Finally the business need to deploy 3rd-party services with “soft” security guarantees must be addressed. As a result maintaining system integrity becomes a significant challenge and one that must be managed. To mitigate some of the risks we present a background on the three A’s (Authentication, Authorization and Accounting) of computer security explaining each in detail and their importance from a broad system perspective. From there we take the audience through a set of Microservice-native patterns and tools for enforcing and managing each `A` with a focus on enforcement and measurement at the service mesh layer. At the conclusion of the talk attendees should have a greater understanding of how to apply system-level security patterns to their Microservice architecture, tools to use to implement the learnt patterns and so improving their security posture.
Microservice architecture overview:
- The Service mesh as point of security enforcement
- What is authentication? Who needs to authenticate in a Microservice system.
- Human versus service authentication standards, patterns
- Pattern: Transparent user authentication at the service mesh layer using istio
- What does authorization mean in a Microservice architecture? Who, where when and what.
- Pattern: OAuth2 authorization at the app layer
- Pattern: JIT authorization at the service mesh layer using istio
- How do we account for or audit what operations are being performed in the system?
- Pattern: audit measurement at the service mesh layer using istio