New approaches to security of microservice architectures

Before Cloud Computing there was a well-defined security perimeter that was protected by a traditional Firewall appliance and services and data were (assumed to be) safe. With the advent of Cloud Computing, SaaS, Mobile, IoT, and Big Data, the perimeter has become highly elastic, and we have had to rethink our security models as a result. Two common thoughts along how to define the new perimeter is either Identity-Defined or Software-Defined. My thesis is that Services encapsulates both Identity and Software, so Services-Defined Perimeter is the term I am using.

In addition to Cloud Computing and Virtualization, Containers (largely thanks to Docker) have become extremely popular and monolithic software stacks are evolving into a microservices architecture. As your teams start leveraging these new technologies and architectures, how do you ensure that you are continually enhancing your security posture? Graham Lea recently posted a great article on the security questions that you should be asking your teams. I have been discussing and developing solutions around this and it’s great to see that others are talking about  modern methods of securing infrastructure.

New approaches are needed to address the security considerations of a microservice architecture with these core tenets.

  • Least-Privilege — Assigned access rights should be the minimum necessary for the resource and the assignment duration should be the shortest possible amount of time.

  • Principal-Authentication — Ensures that the user has access to the system with strong credentials and authentication attempts are rate-limited.

  • Principal-Authorization — Ensures that the user has the privileges to access what they are attempting to access.

  • Service-Authentication — Ensures that the service requires connecting services to authenticate instead of allowing all connections.

  • Service-Authorization — Ensures that the authenticated service has access rights to the resource that it is attempting to access.

Many companies still rely upon legacy IAM and PIM solutions to attempt to address these needs, but they don’t work well with modern Cloud infrastructure. What is needed is a modern access management platform that enables automated infrastructure deployments where every component is assigned an identity; user, machine, container, layer, robot, service. Authentication and Authorization should be dynamically managed via RESTful APIs and include a tamper-proof audit log for reporting and compliance.

Role-Based Access Control principles should also dynamically applied to deliver the concepts of least privilege and authorization for all identities, static or ephemeral. Elevated or Augmented access rights should be removed immediately after the session ends. Access rights policy should utilize the “need to know” philosophy. An extremely fine level of granularity for privileges and permissions is what is needed and most solutions today don’t provide that functionality.

SSH Access and Secrets Management solutions also need to be re-factored to scale to tens of thousands of machine instances while ensuring Enterprise-grade security. Prior techniques, such as using a deployment tool to distribute SSH public keys, doesn’t scale to Cloud proportions. One approach is to centralize the SSH key store and provide both Authentication and Authorization as part of the SSH login process.  For Secrets Management, the secrets shouldn’t be hidden or embedded in the client code, but instead use a utility such as Summon to inject Secrets into the environment at run-time.

Inbound Service traffic to instances, both static and ephemeral, should also be filtered using an Authorization platform. Privileged communications should then be monitored, tagged, and logged for audit and compliance. Temporary tokenized access to the service should also be part of the solution, which eliminates the need for privileged credential exchange and the associated risks.

The times are indeed a-changin’ and I encourage people to consider an innovative and disruptive approach to addressing the new stack.

About the Author/Mike Kail

mike_kailMike Kail was Yahoo’s CIO and SVP of Infrastructure, where he led the IT and Data Center functions for the company. He has more than 24 years of IT Operations experience with a focus on highly scalable architectures, prior to joining Yahoo. Most recently, Kail served as VP of IT Operations at Netflix. Prior to that, he was VP of IT Operations at Attensity, where he was responsible for the Americas data center operations team; including managing various big data systems with their Hadoop cluster, HBase, and MongoDB components. He has been recognized widely for his insightful industry commentary on Twitter, and was recently named by the Huffington Post as one of the “Top 100 Most Social CIOs on Twitter.” He holds a B.S. in Computer Science from Iowa State University. Reach out to him on Twitter or LinkedIn.

Miles Blatstein

Miles Blatstein is a Web Engineer with the parent company of, MediaOps. As a Web Engineer, Miles is tasked with front and backend development/management of MediaOPS sites, social media marketing, SEO, and customer/client relations and services.

Miles Blatstein has 79 posts and counting. See all posts by Miles Blatstein