August 18, 2017

If you use Docker containers or other microservices to host your apps, you probably rely heavily on APIs. And if you want to run those apps in production, securing the APIs is crucial.

“Microservices applications are a very different beast to a single large monolith,” said NGINX head of products Owen Garrett. “Shortly after beginning to decompose an application into individual services, organizations often realize that they can optimize the way that clients—web browsers, mobile applications, desktop and embedded applications—access the functionality.”

That leads to heavy reliance on APIs and web endpoints, according to Garrett. In turn, you end up with a larger potential attack surface because there are more entry points that you must secure.

Securing Microservices

The following guidelines can help you meet that challenge:

  • Expose externally as few APIs as possible. If your API doesn’t need to be accessible from the outside, don’t let it be. Otherwise, you’re just creating an unnecessary security risk.
  • Use APIs with strong authentication and authorization policies. These make an attacker’s job more difficult in the event that he gets access to your API.
  • If your API is not secure, don’t expose it externally. Instead, customize the API so that the unsecured components run only internally. “In many cases, it is easier to construct specially sanitized APIs for external consumption, delivered with security measures such as rate-limiting, detailed logging and circuit-breaker patterns, than it is to attempt to secure an internal API,” Garrett said.
  • When you do expose your APIs externally, encrypt them and use an API gateway. These help to harden the API against attacks.
  • Don’t forget to secure internal APIs. APIs that are not exposed publicly are more difficult to attack, but they’re by no means immune to attack. For that reason, you should still take precautions to secure internal APIs. Use TLS encryption and a public key infrastructure to share secrets.

The fact that microservices architectures introduce more moving parts and add layers of communication to your infrastructure doesn’t mean they can’t also be secure. But it does mean you have to take extra security precautions by hardening APIs. That’s the only way to ensure data privacy and application security in the age of Docker and microservices.

Christopher Tozzi

Christopher Tozzi has covered technology and business news for nearly a decade, specializing in open source, containers, big data, networking and security. He is currently Senior Editor and DevOps Analyst with Fixate.io and Sweetcode.io.