Solving Trust Issues at Scale

Microservices are social constructs: they can’t function without talking with other services. This also raises an interesting question: do we trust all of our microservices?

Not all microservices are the same: some are more sensitive – for example, services that handle personal user data or payment information. Others are user-facing and therefore riskier. We shouldn’t treat all services as equal. A robust mechanism that describes who can talk with who is required.

We dealt with this challenge whilst I was working for Soluto. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. I’ll share how we build this solution (including all the technical details and live demos!), using open source tools like Open Policy Agent, so you can easily build something similar.

Resources:

• Slides: https://www.slideshare.net/SolutoTLV/solving-trust-issues-at-scale-appsec-california

• Open Policy Agent: https://www.openpolicyagent.org/docs/latest/envoy-authorization/

• https://www.envoyproxy.io/docs/envoy/v1.8.0/configuration/http_filters/jwt_authn_filter

• https://github.com/omerlh/zap-operator

• https://www.omerlh.info/2020/01/22/solving-trust-issues-at-scale/