Securing Micro-services is a tall order objective. Like any other thing in the realm of software development, there are a lot of tings to be taken into consideration on the approach to be taken in securing micro-services. There is no panacea for all threats. And assuming even if one exists, attempting to secure every service with highest levels using a single mechanism is simply over-doing the task that dampens other non-functional requirements (performance and scale).
So what are some of the things to take into account for security? The answer to that would be to ask yourself the following questions:
So what are some of the things to take into account for security? The answer to that would be to ask yourself the following questions:
- Who are the direct consumers to that service? Or is your service external-facing exposed to the internet or just an internal service?
- API Gateway Pattern is a very popular pattern for securing edge-services by handling authentication and service discovery. Each external request is signed, which provides additional layer of authentication.
- For internal services, isn't the firewall and OS layer security good enough? In the case of containerized applications, aren't your minimalist base-images of container good enough to cut fat and have just enough processes/programs enabled to keep things secure apart from your network firewall? The alpine editions of the linux operating systems for instance wouldn't even have CURL program removing the possibility to remotely curl a service from terminal.
- It is important to keep in mind that with microservices architecture, there are often more attack paths than in a monolithic architecture. Play the devil's advocate.
- What data does the service expose? Open or Closed.
- How sensitive or confidential is your data? What do you get to loose if this data leaks?
- Do you really want to secure your service that for instance say is serving weather data of a location, catalog of your products, traffic data of a location, etc?
- What is the tolerance to data staleness? Or how fresh or real-time you want the data to be?
- How real-time a data you are look for?
- At what rate the change of data happens?
- What is the volume of these requests?
- How frequently is your service accessed and at what volume?
- Put other-way what is the performance requirement for your service in terms of latency (the time it takes to process a request), throughput (the number of requests handled per second)?
- What kind of attack are you preparing your defenses for? Eavesdropping, Man-in-the-middle (MITM), SQL-Injection, Cross-Site Request Forgery (CSRF), Denial-of-Service (DoS) etc.
- The medicine depends on the illness. What security measures are to be taken depends on what threats we are attempting to thwart.
All the above questions together has its effect on what and how you secure your service. You should identify any risk boundaries first. Then you can create security boundaries that match. Each boundary can then be secured by whatever method is best. Some might only need to be restricted by what addresses are allowed through (firewall), others might need additional token or certificate based security.
Classifying systems and data is so damn boring but then it is very vital thing to do, to get your overall systems right.
Classifying systems and data is so damn boring but then it is very vital thing to do, to get your overall systems right.