Microservices architecture promises faster time to market, better scalability and loosely coupled components compared to monolithic builds. However, a conglomeration of several small autonomous services comes at a security cost -- it complicates service-to-service communication, fragments data consistency and increases attack surfaces.
When you are working in a microservices-based application, a simple firewall will not suffice. The microservices design needs a much more layered defense to combat threats. The application's security must be a fundamental part of its architecture -- microservices developers should build the application's security framework right from the beginning.
Security challenges in microservices
The distributed nature of microservices creates inherent complexities and security issues that development teams have no choice but to address. The most notable microservices security challenges are a large attack surface, insufficient log analysis, poor testing and low fault tolerance.
Attack surface. In a microservices-based application, the proliferation of communication interfaces increases an application's overall attack surface. Each exposed API and communication channel creates a potential attack vector that developers need to make sure they address.
Logging. A microservices-based application typically has distributed, stateless services that are developed through heterogeneous technologies. Logs are not all in the same format or generated in the same way. It's also possible that these services interact across large geographical distances. Create a system to aggregate logs so that security analysts can correlate events that occur across diverse and disparate platforms.
Testing. Microservices developers can create, deploy and manage services independent of each other, which means they can quickly release services without thorough testing. Testing catches security vulnerabilities. Although one of the greatest benefits of microservices-based applications is the freedom to release frequently, this improved agility must be tethered to proper testing.
Fault tolerance. Fault tolerance in a microservices-based application is much more complex compared to that in a monolithic application. When the number of services communicating over the network increases, complexity increases, making faults more likely. If any microservice cannot properly cope with failures, it can destabilize the entire application, and any other applications it works with.
Microservices security best practices
There are four microservices security best practices to avoid these pitfalls. Adopt all of them when building applications.
1. Practice defense-in-depth. Defense-in-depth is a strategy in which several layers of security control are introduced in an application. Sensitive services get layers of security cover, so a potential attacker who has exploited one of the microservices in the application may not be able to do so to another microservice or other layers of the application.
Rather than depending on a single, seemingly robust security measure, use all the security measures at your disposal to create layers of security that potential attackers will have to break through. For instance, even if you already have a strong network perimeter firewall in place, ensure that you still practice strong token-based identification, keep addresses of sensitive microservices private and maintain a strong monitoring layer that diligently identifies unusual behavior.
2. Use the API gateway. In a typical microservices-based application, it's ideal that service consumers do not communicate with microservices directly. Rather, an API gateway should provide a single point of entry for traffic, which it directs to various microservices. These API gateways often use token-based authentication to manage what data privileges particular services have and dictate how they can interact with that data.
Since the clients don't directly access the services, they cannot exploit the services on their own. You can add a layer of protection if you place the API gateway behind a firewall. This ensures all the microservices used in a particular application are secure.
3. Focus on data and API security. Microservices often need to communicate with each other via data packets and APIs. Maintain security certificates and ensure any data in-transit is encrypted.
Also, closely guard API permissions -- only authorized users should have access to the APIs. One way to handle this is using the principle of least privilege to control access to resources. Provide access to a resource only on an as-needed basis.
4. Apply DevSecOps strategies. Microservices security best practices aren't just about deploying the right technology. For microservices adoption to be successful, the development and operations teams should converge in line with the concept of DevOps, but they should also have a close relationship with security groups to understand security processes and how to mitigate security risks.
This approach, known as DevSecOps, dictates that developers and operations staff should make security teams part of the initial application design process, rather than only consulted after things go into production. Developers and security staff should work together to determine how to constantly and automatically monitor microservices-based applications for potential threats. Monitoring tools like Prometheus and InfluxDB can help you attain these centralized monitoring capabilities.
Automated code scanning and continuous code updates are also essential. DevOps and security teams should work closely together to monitor code and prevent any unauthorized access to a resource in the application.