api security in a microservice architecture
play

API security in a microservice architecture Matt McLarty VP, API - PowerPoint PPT Presentation

Apr 25, 2023 •351 likes •785 views

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb. 28, 2018 Agenda Purpose and Goals Background Current Approaches - Network-level Controls - Application-level Controls - Emerging

  1. API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb. 28, 2018

  2. Agenda ▪ Purpose and Goals ▪ Background ▪ Current Approaches - Network-level Controls - Application-level Controls - Emerging Approaches ▪ Proposed Approach - Domain Hierarchy Access Regulation for Microservice Architecture (DHARMA) - Platform-Independent DHARMA Implementation ▪ What Next?

  3. About Matt McLarty ▪ Vice President of the API Academy (CA Technologies) ▪ Co-author of Microservice Architecture from O’Reilly ▪ Instructor for Microservices for the Enterprise O’Reilly training ▪ 20+ years in development, enterprise IT, software architecture ▪ Architect, writer, speaker ▪ Live in Vancouver, BC, Canada

  4. O’Reilly Report https://transform.ca.com/API-securing-microservice-apis-oreilly-ebook.html

  5. Goals Primary ▪ Create a comprehensive “literature review” for Microservice API Security ▪ Define a general model for API access control applicable to microservices ▪ Refine the general model for practical use in a microservice architecture ▪ Anticipate the next level of problems and solutions required for microservice API security Secondary ▪ Help to develop a common language for microservices and distributed systems in general ▪ With Fielding as inspiration, try to define a methodology for general solutions like this

  6. Some background…

  7. Microservice Architecture Characteristics Independent Service Ephemerality and deployability and orientation elasticity manageability Web API Container-based communication deployment

  8. Microservice API Terminology ▪ Service ▪ API Consumer ▪ API Provider - Service Instance ▪ API ▪ API Intermediary - API Endpoint - API Gateway - Service Proxy ▪ API Request ▪ API Response

  9. The Microservice API Landscape

  10. IAAA Framework for Microservice APIs • Must support multiple identities and attributes (end Identification users, system components, domains) • Must support multiple authentication methods as Authentication well as delegated authentication • Authorization for a single request may be decided Authorization at multiple points in the request path • Capture of relevant security data or metadata from Accountability API messages

  11. Current approaches…

  12. About Trust ▪ Trust is fundamental in distributed systems ▪ Implicit trust is everywhere! - e.g. network isolation ▪ Trust is about understanding and compromise Trusted communication should be more efficient than untrusted

  13. Network-Level Controls ▪ Localhost isolation ▪ Network segmentation ▪ SSL/TLS

  14. SPIFFE ▪ “Secure Production Identity Framework for Everyone” ▪ PKI functions for ephemeral environments ▪ SVID’s - “SPIFFE Verifiable Identity Documents” - Identity for services and other components ▪ SPIRE - “SPIFFE Runtime Environment” - Agent/Server architecture

  15. Application-Level Controls – Traditional Web Tokens Cookie-based Sessions ▪ Can have a role as long as storage is performant and scalable ▪ Session ID open to hijack ▪ Sessions do not cross security domains SAML ▪ Some concepts useful ▪ Too centralized and heavy for microservice architectures ▪ Does not support delegation

  16. Application-Level Controls – API-oriented Tokens API Keys ▪ An application identifier, not a security mechanism! OAuth 2.0 ▪ Framework for API authorization, supports delegation ▪ Agnostic of token types OpenID Connect ▪ Extends Oauth 2.0 with ID Token JWT ▪ Packaging format for exchanging claims ▪ Convenient and popular in practice

  17. Application-Level Controls – Token Types Opaque (“by - reference”) tokens ▪ Indecipherable to third parties, but require centralized management Transparent (“by - value”) tokens ▪ Management can be decentralized, but accessible to third parties

  18. Infrastructure – API Intermediaries ▪ API Gateway - “North - south” (proxies consumer -to-provider) - Centralized at the perimeter - Fully-featured ▪ Service Proxy - “East - west” (proxies service -to-service) - Local to service (sidecar) - Streamlined https://abhishek-tiwari.com/a-sidecar-for-your-service-mesh/

  19. Infrastructure – Network Overlays ▪ Platform-specific capabilities ▪ Open source projects - OpenContrail, Romana: network overlays - Project Calico: native support for Docker, Kubernetes, Mesos - Cilium: uses Linux kernel modifications

  20. Infrastructure – Platform Capabilities Kubernetes ▪ Network rules restrict communication between various abstractions: clusters, nodes, pods, services ▪ Authentication ultimately left to application logic Cloud Foundry ▪ UAA for user authentication (OAuth 2.0 with JWT’s) ▪ Multiple options for network ACL’s AWS ▪ Built-in proprietary IAM and certificate management ▪ API access control generally left to application logic

  21. Emerging Approaches – Service Mesh ▪ Both an emerging and a time-worn concept  ▪ In practice, network of service proxies ▪ In theory, general policy enforcement for “the system” - Routing, service level management, security ▪ Sample implementation: Istio - “Control plane” for the service mesh - Istio-Auth for authentication, using SPIFFE

  22. Emerging Approaches – Serverless ▪ Constrained but convenient - Less access to infrastructure configuration - Distinction between functions and communication ▪ Access control tied to platform - e.g. AWS Lambda tied to AWS IAM + AWS API Gateway

  23. A Proposed Approach…

  24. Common Patterns in Microservice API Security ▪ “Zero trust” not a common practice due to inefficiency ▪ Many multi-faceted approaches with heterogeneous parts ▪ Many platform-specific capabilities ▪ Binary pattern: - “Fast lane” for traffic based on trust - “Slow lane” for untrusted traffic requiring authentication

  25. Domain Hierarchy Access Regulation for Microservice Architecture (DHARMA) ▪ A multi-cloud approach to API security in a microservice architecture ▪ Applicable at any level of the architecture ▪ Agnostic of domain methodology

  26. What’s in a name? ▪ Dharma n. – The principle of cosmic order - We want order in a complex system ▪ Significant concept in multiple religions - We want a multi-cloud solution ▪ Wheel of Dharma: - Helm of Kubernetes: (And NO… this has nothing to do with the show “Lost”!)

  27. DHARMA Foundational Concepts Concept Definition Trust Domain A set of services that communicate with each other in a privileged way The reason for a domain’s services to be grouped together Domain Relation Trust Mechanism The method used by services within the domain to verify that an API request is coming from a trusted source Access Mechanism The method that allows API requests from outside the domain to be authenticated and authorized Interior Endpoint An API endpoint that is accessible to other services within the domain, authorized through the domain’s trust mechanism Boundary Endpoint An API endpoint that is accessible to services outside the domain, authorized through the domain’s access mechanism Hierarchical Endpoint An API endpoint that is an interior endpoint for one domain and a boundary endpoint for another

  28. DHARMA Request Flow – Single domain

  29. DHARMA Request Flow – Two domains in a hierarchy

  30. A DHARMA Design Methodology Determine Define trust Select domain Identify trust interior and and access implementation domains boundary mechanisms platforms endpoints

  31. Platform-Independent DHARMA Implementation Domain Hierarchy • External consumers Unbounded Area •Beyond org’s control • Public services Outer Domain • Experience-oriented • Private services Inner Domain • Logic-, data-oriented

  32. Platform-Independent DHARMA Implementation Domain Access Mechanism Trust Mechanism Outer Domain OAuth 2.0, opaque Signed JWT using org- access token issued certificate Inner Domain Signed JWT using org- Network isolation, optionally issued certificate propagated JWT

  33. Platform-Independent DHARMA Implementation Implementation considerations Certificate Token Component management management provisioning Service and endpoint Accountability deployment

  34. Platform-Independent DHARMA Implementation Interaction Identification Authentication Authorization External Client External client obtains access token from Receiving API Gateway sends Authorization server validates Request authorization server, sends on API request access token to authorization server access token, exchanges for to outer domain boundary endpoint for validation JWT which is sent back to API Gateway, which forwards request to service’s interior endpoint Outer Domain Service consumer either sends previously Receiving service proxy validates Service checks JWT claims and Service-to-Service obtained JWT, or obtains new JWT from token signature and certificate chain processes accordingly Request OR Outer Authorization Server and sends on API Domain-to-Inner request to outer domain interior Domain Request endpoint/inner domain boundary endpoint Inner Domain Service consumer either sends previously Trusted based on network isolation Service checks JWT claims and Service-to-Service obtained JWT, or obtains new JWT from processes accordingly Request local secure token service and sends on API request

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3 PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3 PROBLEM CORRECT MICROSERVICE ARCHITECTURE

736 views • 61 slides
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date

1.06k views • 66 slides
Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation Experience Sharing Ivan Hsieh P .1 Agenda Microservice Architecture How to break a Monolith into Microservices

519 views • 36 slides
Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro

Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro

Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe Why am I here today? QCON SP Microservices architecture case Security opEons OAuth2

820 views • 80 slides
Microservice The Evolutionary Architecture Software Engineering II Sharif University of

Microservice The Evolutionary Architecture Software Engineering II Sharif University of

Microservice The Evolutionary Architecture Software Engineering II Sharif University of Technology MohammadAmin Fazli Topics An Evolutionary Vision for the Architecture Zoning A Principal Approach Governance Through Code

442 views • 29 slides
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL,

NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL,

NDN: an Orchestrated Microservice Architecture for Named Data Networking Xavier MARCHAL, Thibault CHOLEZ, Olivier FESTOR LORIA, UMR 7503 (University of Lorraine, CNRS, INRIA) Vandoeuvre-les-Nancy, F-54506, France September 22, 2018

786 views • 21 slides
MICRO-FRONTENDS Luca Mezzalira Architecture evolution DB Application Server Single-Page

MICRO-FRONTENDS Luca Mezzalira Architecture evolution DB Application Server Single-Page

Scaling Your Project with MICRO-FRONTENDS Luca Mezzalira Architecture evolution DB Application Server Single-Page Application Architecture evolution DB DB DB Microservice Microservice Microservice API Gateway Single-Page Application

349 views • 32 slides
Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas

Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas

Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany Motivation EPA the legacy system

1.28k views • 30 slides
Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why

R. van der Gaag, D. Weller Incorporating Post-Quantum Cryptography in a microservice architecture Research Project 2 Why think about post-quantum cryptography W. Buchanan et. al concluded Gate-based quantum computers pose a significant

349 views • 18 slides
Ostro OS security architecture An IoT OS security architecture that is so boring that you can

Ostro OS security architecture An IoT OS security architecture that is so boring that you can

Ostro OS security architecture An IoT OS security architecture that is so boring that you can sleep soundly at night Ismo Puustinen, Intel Finland What is Ostro OS? https://ostroproject.org IoT operating system, based on Yocto project

261 views • 9 slides
CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote "Using Docker" for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook http://www.oreilly.com/webops-perf/free/docker-

1.06k views • 68 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Managing Failure Modes in Microservice Architectures Adrian Cockcroft @adrianco AWS VP Cloud

Managing Failure Modes in Microservice Architectures Adrian Cockcroft @adrianco AWS VP Cloud

Managing Failure Modes in Microservice Architectures Adrian Cockcroft @adrianco AWS VP Cloud Architecture Strategy Datacenter to cloud migrations are under-way for the most business and safety critical workloads AWS and our partners are

745 views • 55 slides
Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis Gkikopoulos, PhD student and research assistant, ZHAW and UNINE, Switzerland The Microservice Pattern An increasingly prevalent approach to

300 views • 15 slides
Web Architecture 253 Privacy & Security who's this guy? columbia university school of

Web Architecture 253 Privacy & Security who's this guy? columbia university school of

Web Architecture 253 Web Architecture 253 Web Architecture 253 Privacy & Security who's this guy? columbia university school of engineering and applied science bs in computer science 1999 who's this guy? 13+ years writing software and

878 views • 63 slides
and Judicial Review Hannah Rought-Brooks, Garden Court Chambers James Holmes, Garden Court

and Judicial Review Hannah Rought-Brooks, Garden Court Chambers James Holmes, Garden Court

Local Authority duties to Children and Judicial Review Hannah Rought-Brooks, Garden Court Chambers James Holmes, Garden Court Chambers 15 September 2020 @gardencourtlaw Local Authority Duties and Judicial Review Hannah Rought-Brooks, Garden

903 views • 67 slides
Pershing Square Capital

Pershing Square Capital

Pershing Square Capital Management, L.P. The analyses and

1.14k views • 64 slides
Odyssey Charter School September 4, 2020 & Odyssey Preparatory Academy eLearning Update

Odyssey Charter School September 4, 2020 & Odyssey Preparatory Academy eLearning Update

Odyssey Charter School September 4, 2020 & Odyssey Preparatory Academy eLearning Update and Parent Orientation to Odyssey Charter, Inc. digital programs Were in this Together ! Be positive. Your mind is more powerful than you

722 views • 50 slides
DISCLAIMER 2 This document has been compiled by Tharisa plc ( Tharisa ) . While the

DISCLAIMER 2 This document has been compiled by Tharisa plc ( Tharisa ) . While the

INTEGRATED RESOURCE GROUP | LOW COST CO-PRODUCER PGMS AND CHROME February 2015 DISCLAIMER 2 This document has been compiled by Tharisa plc ( Tharisa ) . While the information contained herein is believed to be accurate, no

397 views • 13 slides
ORIENTATION DETECTION Goal Main Goal: For any given picture detect its orientation. Sub

ORIENTATION DETECTION Goal Main Goal: For any given picture detect its orientation. Sub

AUTOMATIC IMAGE ORIENTATION DETECTION Goal Main Goal: For any given picture detect its orientation. Sub Goals: How to deal with color images Define criteria for images to separate them to 4 groups: = 0, = 90, =

432 views • 16 slides
Chapter 5: Control Structures II (Repetition) C++ Programming 1 Dr. Adriana Badulescu Kallas

Chapter 5: Control Structures II (Repetition) C++ Programming 1 Dr. Adriana Badulescu Kallas

Dr. Adriana Badulescu Kallas Introduction to Computer Science & Programming Programming Fundamentals I Chapter 5: Control Structures II (Repetition) C++ Programming 1 Dr. Adriana Badulescu Kallas Introduction to Computer Science &

1.22k views • 72 slides
S E Q Sensitization Exposure - Quotient Charts of contact allergens IVDK 2011: HITLISTE

S E Q Sensitization Exposure - Quotient Charts of contact allergens IVDK 2011: HITLISTE

S E Q Sensitization Exposure - Quotient Charts of contact allergens IVDK 2011: HITLISTE 2011 n % pos. (stand.) 1 Nickel (II)-sulfate 10859 15.8 10874 2 Fragrance-Mix 8.1 10863 3 Perubalsam 7.3 4 Fragrance -Mix II 10897

506 views • 15 slides
2012 Final LCR Study Results Sierra and Stockton Local Areas Binaya Shrestha Sr. Regional

2012 Final LCR Study Results Sierra and Stockton Local Areas Binaya Shrestha Sr. Regional

2012 Final LCR Study Results Sierra and Stockton Local Areas Binaya Shrestha Sr. Regional Transmission Engineer Stakeholder Meeting April 14, 2011 Sierra Area Load and Resources (MW) 2012 Load = 1713 Transmission Losses = 103 Total

253 views • 22 slides

More recommend