This content is part of the Essential Guide: An architect's guide to microservices security

Microservices governance requires standards, security and scrutiny

What does it take to govern microservices? Christine Parizo explains why this requires comprehensive security, the establishment of standards and a careful selection of products.

As a smaller subset of SOA, microservices offer a more modular approach to allow developers to quickly code, test...

and deploy new features. With that architectural freedom comes more complexity that isn't necessarily based in the infrastructure. In the absence of governance, critical patches might be missed, leading to buggy software or even major security vulnerabilities, according to experts.

As microservices become more popular, the security, general standards and even best practices associated with them need to be addressed through governance. A single, neutral governance framework hasn't been put into place, and companies are working on that. In the meantime, knowing what products can help with microservices governance will be critical.

Secure those microservices

"Microservices are the next step toward modularizing and distributing systems, and they do this to an even much higher degree than what we've seen so far with virtualization," said Sven Dummer, senior director of product marketing at Loggly. Developers may fall into the trap of treating microservices the way they do virtualization, or may not update and patch software as part of regular maintenance. This could lead to unpatched, unsecured components not being noticed because they ostensibly run fine, he said.

The potentially complex interactions between microservices, which can run across multiple cloud and on-premises data centers, make a different approach to security necessary.

"Make sure you understand the requirements and risks that are specific to microservices just as well as you understand their benefits," Dummer said. Governance tools need to address these requirements and risks -- and security is one of the risks of microservices, as with all development projects.

The potentially complex interactions between microservices, which can run across multiple cloud and on-premises data centers, make a different approach to security necessary, according to Jim Reno, chief architect for security at Apcera. "Securing [microservices] requires a solution that focuses on the workload, not the infrastructure, like traditional approaches," he said.

For that, Reno said developers can look for tools that are secure by default, work in any environment and address security comprehensively.

A neutral microservices governance framework is on the horizon

Microservices typically are placed into containers and uploaded via Docker. Containers may have experienced the fastest uptake of any developer-centric technology in history. As a result, nearly every company in the cloud computing space wants to provide a neutral governance framework, according to Dan Kohn, executive director at the Cloud Native Computing Foundation.

In addition to the Linux Foundation's Open Container Initiative (OCI), the Cloud Native Computing Foundation is also working on standards. The Foundation is working on roadmaps for deploying the technologies that enable containerized microservices.

"For governance, all of the interesting work about standardizing the image format and runtime are happening in OCI," Kohn said. "The community will eventually settle on one or several standards for each layer of the cloud native stack."

However, according to Kohn, alternatives exist for enabling container orchestration, such as Mesos, Kubernetes and Docker Swarm. Mesos is the oldest and probably the most widely deployed, while Docker Swarm is capitalizing on the popularity of Docker containers. Kubernetes, meanwhile, has the highest mind share and has rapidly amassed over 639 developers contributing to the project and 17,366 commits over the last year, he said.

Get governance baked into products

When choosing products, developers should lean toward those that have governance built in to the architecture via APIs instead of perimeter tools, according to Sandeep Singh Kohli, director of product marketing at MuleSoft.

"Our customers see APIs as contracts by the developers on what the microservices will do, and more importantly, what they won't do," he said. He added that APIs make it easier for central IT to govern via gateways that act as proxies. This ensures microservices governance is also balanced with flexibility for domain teams.

"It is important to look at governance holistically as not only microservices management during runtime, but also as an inculcation of best behavior within domain teams during design and development," Kohli said. While the first part can be addressed through APIs, best practices can be more difficult since they deal with the human element. Things like posting microservices on a collaboration hub and encouraging merit-based reuse with reviews and ratings can help, he said.

Ultimately, the popularity of microservices will require standards, which will likely stem from collaboration between companies in the cloud computing space. Until then, products do exist to help shore up security issues and ensure that the microservices are flexible enough to meet the needs of the company.

Next Steps

How can microservices improve SOA services

How to make your way through different microservices architectures

Steps to make microservices more secure

Dig Deeper on Application development planning