Microservices and Security
I have written some general articles about microservices and software security separately.
Now lets talk about how to implement security in microservices based system. Fundamentals remains same, but there are some unique challengers in microservices systems that we need to be aware off.
The main challenge is that microservices system can have a lots of moving parts. They are running in its own environment. The system is extremely distributed and each component in the system has to be secured.
Secure the network
Communication between microservices is the most important element in microservices systems. So the network and the communication between the services must be as secure as possible.
- Implement TLS, of course the newer version, not the 1.0 or 1.1. It uses cryptographically secure techniques to mutually authenticate individual microservices and encrypt the traffic between them.
2. Restrict IPs. In other words we should not allow unknown or unauthorized systems to access the services. We can define IP whitelist. This list define what are the addresses that can access each service.
3. Use gateway. In other words, every inter-service calls go thru the gateway. In this case things such as authentication/authorization can be handle thru the gateway. Also monitoring, rate-limits and much more.
Securing Identity
When calling microservice, the called service should know who calls it and whether the call is allowed. In other words, we need to handle authentication and authorization. Basically we need to deal with two types of identities,
- Service Identity — identity of calling service e.g from scheduler/batch job
- User Identity -identity of the end user calling it.
We can use things like API keys, Access tokens etc to implement this.
Also it is important to understand difference between authentication and authorization. Most of the cases, API keys and Access tokens will be used to authenticate. The service itself has to handle Authorization part.
Securing Data
Data security principle such as data encryption are not really difference to regular applications.
https://ishanul.medium.com/secure-data-in-software-development-eb092daeafe5
External vs Internal Services
I might be a good idea to differentiate External and Internal services. When we make distinction between external and internal services, then we can think about below points,
- Do we need TLS all the way down?
- Do we need end user authentication for internal services?
- Limiting access to internal services.
With those questions, we can decide if we need TLS all the way down or we will off-load TLS. Meaning TLS connection is only up to the external service and from external to internal, there is not TLS. Also we can restrict calling IPs in internal services so only the external services can access them.
Above are some of the basics that we can think about.
☕ Like this content? Support me on Buy Me a Coffee!
