Download - Securing Microservices
SECURING MICROSERVICESPrabath Siriwardena, WSO2.Twitter: @prabath Blog: http://facilelogin.com
MICROSERVICES
4
SOA TO MICROSERVICES• Service Oriented Architecture (SOA) is a design approach where multiple services collaborate to provide some end set of capabilities.
• A service is an isolated process — and the inter-service communication happens over the network
• Microservices is the SOA done right!• Provides focused, scoped and modular approach for application design.
5
RECOMMENDED READING• Building Microservices by Sam Newman, http://www.amazon.com/dp/1491950358/
• Summary of the book: http://bit.ly/1sHXJMq
6
KEY PRINCIPALS• Model around business concepts• Adopt the culture of automation• Hide internal implementation details• Decentralize all the things• Independently deployable• Isolate failures• Highly observable
7
MONOLITHIC VS. MICROSERVICES
8
CHALLENGES• Larger number of service-to-service interactions• Wider attack surface• Immutable servers• Service per host deployment model• Small team ownership
SERVICE TO SERVICE COMMUNICATION
10
JSON WEB TOKEN (JWT)
11
JSON WEB TOKEN (JWT)• JWT defines a container to transport data between interested parties
• A JWT can be used to• Propagate one’s identity between interested parties• Propagate user entitlements between interested parties• Transfer data securely between interested parties over a
unsecured channel• Assert one’s identity, given that the recipient of the JWT trusts the
asserting party.
12
JSON WEB TOKEN (JWT)• A signed JWT is known as a JWS (JSON Web Signature)
• An encrypted JWT is known as a JWE (JSON Web Encryption)
13
CLIENT CERTIFICATES• TLS Mutual Authentication• Trusted Sub-system Pattern• Certificate Revocation
• CRL• OCSP• OCSP stapling• OCSP stapling required
14
SHORT-LIVED CERTIFICATES• Identical to a regular certificate, except that the validity period is a short span of time such as a few days.
• Used by Netflix• Addresses challenges with certificate revocation
15
SHORT-LIVED CERTIFICATES @ NETFLIX
16
XACML• Policy language, component architecture, request/response protocol
• The de facto standard for fine-grained access control• JSON profile for XACML
17
XACML COMPONENT ARCHITECTURE
18
ACCESS CONTROL
19
ACCESS CONTROL (IN-PROCESS-PDP)
THE EDGE SECURITY
21
API GATEWAY PATTERN
22
OAUTH 2.0• Framework for access delegation• Doing something on behalf of someone else, preserving the identity of both
• Self-contained access tokens
23
OAUTH 2.0
24
EDGE SECURITY WITH OAUTH 2.0 / OIDC
25