security considerations for microservice architectures
play

Security Considerations for Microservice Architectures Daniel - PowerPoint PPT Presentation

Feb 06, 2024 •958 likes •1.28k views

Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany Motivation EPA the legacy system

  1. Security Considerations for Microservice Architectures Daniel Richter, Tim Neumann, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany

  2. Motivation ▪ EPA – the legacy system ▪ reserve and book train seats operated by Deutsche Bahn (German railway) ▪ 1 mio seat requests & 300,000 bookings ▪ first version: 1980s ▪ set of Pathway Services as part of HP NonStop system ▪ especially fault-tolerant and highly-available 2 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  3. Motivation 3 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  4. Motivation Microservices to the Rescue! ▪ small, independent, autonomous services ▪ small, specific range of features ▪ encapsulates all its functions and data ▪ cooperation with other microservices (usually ReST & message queues) ▪ DevOps 4 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  5. Motivation Microservices, but… ▪ introduces additional complexity through dependencies to supporting technology ▪ e.g. for deployment, scaling and management of containerized applications. ▪ use of additional technologies increases the surface attack area ▪ different technology stacks ▪ different vendors, teams, products… ▪ frequent new versions 5 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  6. Our T estbed Ticket BFF for User Machine Ticket Machine Service Booking Service Seat BFF for Smart Reservation Smartphone Phone Service 6 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  7. Our T estbed ▪ application layer Three base layer groups : ▪ compute provider EC2, EBS, VPC ▪ encapsulation technology ▪ deployment Example: secure the communication between individual application components (authentication and authorization) 7 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  8. Base Layer Groups 8 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  9. Base Layer Groups T echnologies ▪ Compute Provider group ▪ all AWS related layers ▪ provides some kind of computing infrastructure (physical or virtual machines, some networking solution, and some file storage system) ▪ start a new machine (based on template) & connect to network ▪ physical machines, virtual machines ▪ own data center, 3 rd party data center, cloud provider ▪ e.g. AWS, Google Cloud Platform, Microsoft Azure, OpenStack 9 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  10. Base Layer Groups T echnologies ▪ Encapsulation Technology group ▪ Docker layer and Weave layer ▪ provide a distributed runtime environment for containers, responsible for isolating services from each other so they cannot interfere with each other (except by predefined communication) ▪ running multiple (lightweight) services on one machine ▪ VM-based encapsulation vs. container-based encapsulation ➔ isolation vs. overhead, technology independence, tools ▪ multiple network addresses ➔ overlay network 10 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  11. Base Layer Groups T echnologies ▪ Deployment group ▪ Kubernetes layers ▪ distribute containers among multiple nodes automatically ▪ take software in source or binary format and ensure its execution and configuration ▪ avoid doing “by hand” ▪ e.g. Docker Swarm, Kubernetes 11 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  12. Base Layer Groups Security Evaluation Compute provider group ▪ managed by Amazon, security cannot be influenced by customers ▪ data centers comply with various commercial and governmental security guidelines ▪ such as PCI DSS Level 1 ▪ allows detailed rules for communication between EC2 instances ▪ Amazon VPC acts as a firewall 12 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  13. Security Evaluation Encapsulation technology group ▪ Docker allowed certain users full access to the computer on which it is installed (as required by Kubernetes) ▪ Weave Net is configured and managed by Kubernetes ▪ Weave Net default configuration can be improved by specifying password to encrypt communication between the Weave Net instances running on each node 13 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  14. Base Layer Groups Security Evaluation Deployment group ▪ Kubernetes and Weave Net provide one network to all applications running in Kubernetes, allowing communication without restrictions (by default) ▪ employ Network Policies to limit communication to specific applications ▪ Kubernetes 1.5 ▪ very coarse-grained access control (essentially either full or no access to cluster) ▪ API server: unauthenticated &unencrypted endpoint ▪ Kubernetes 1.6: Role-Based Access Control 14 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  15. Application Layer 15 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  16. Application Layer Authentication & Authorization Methods ▪ trust ▪ network policy ▪ IP-based ▪ key/token-based ▪ MAC-based (Message Authentication Code) ▪ signing-based & Certificate-based ▪ session-based & Password-based 16 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  17. Application Layer Authentication & Authorization Criteria ▪ support of fine-grained access control ▪ secret-based ▪ pre-shared, asymmetric, after session start ▪ session-based ▪ network-based ▪ stack level ▪ network, Application, transport 17 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  18. Application Layer Authentication & Authorization 18 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  19. Evaluation of Authn & Authz in our T estbed 19 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  20. Evaluation of Authentication and Authorization in our T estbed T estbed Components simplified reimplementation of the Elektronische Platzbuchungsanlage (EPA, “ electronic seat reservation and booking system”) of Deutsche Bahn ▪ Customer component (manage login data ▪ Seat & schedule component ▪ Booking component ▪ each component backed by a separate database ▪ two front-ends 20 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  21. Evaluation of Authentication and Authorization in our T estbed Communication Groups 21 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  22. Evaluation of Authentication and Authorization in our T estbed Communication Groups (a) third-party software: no control (b) between different core components: assumed trusted network 22 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  23. Evaluation of Authentication and Authorization in our T estbed Communication Groups (c) between BFFs and core components: separate networks & BFFs may considered untrusted (directly accessible from public network) 23 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  24. Evaluation of Authentication and Authorization in our T estbed Communication Groups (d) public network from untrusted device (e) public network from trusted device 24 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  25. Evaluation of Authentication and Authorization in our T estbed Communication Groups (f) public network from untrusted device; must be publicly accessible, no authorization or authentication required or possible 25 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  26. Evaluation of Authentication and Authorization in our T estbed Communication Groups (g) public network from untrusted device; does not have to be publicly accessible 26 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

  27. Evaluation of Authentication and Authorization in our T estbed Communication Channels Two authentication and authorization methods were used: ▪ Token-based authentication and authorization (connect to the database servers) ▪ session-based authentication and authorization (connections between display devices and BFFs) 29 Security Considerations for Microservice Architectures | CLOSER 2018 | Daniel Richter | 22. March 2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Highly-Available Applications on Unreliable Infrastructure: Microservice Architectures in

Highly-Available Applications on Unreliable Infrastructure: Microservice Architectures in

Highly-Available Applications on Unreliable Infrastructure: Microservice Architectures in Practice Daniel Richter, Marcus Konrad, Katharina Utecht, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at

679 views • 29 slides
Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder

Practical Microservice Security Laura Bell Practical Microservice security Laura Bell Founder and Lead Consultant - SafeStack @lady_nerd laura@safestack.io http:/ /safestack.io caution: fast paced field ahead watch for out of date

1.06k views • 66 slides
ORCAS: Efficient Resilience Benchmarking of Microservice Architectures Andr van Hoorn Aldeida

ORCAS: Efficient Resilience Benchmarking of Microservice Architectures Andr van Hoorn Aldeida

ORCAS: Efficient Resilience Benchmarking of Microservice Architectures Andr van Hoorn Aldeida Aleti Thomas F. Dllmann Teerat Pitakrat 9th Symposium on Software Performance (SSP 2018) November 08, 2018. Hildesheim Previously Presented at

626 views • 13 slides
Managing Failure Modes in Microservice Architectures Adrian Cockcroft @adrianco AWS VP Cloud

Managing Failure Modes in Microservice Architectures Adrian Cockcroft @adrianco AWS VP Cloud

Managing Failure Modes in Microservice Architectures Adrian Cockcroft @adrianco AWS VP Cloud Architecture Strategy Datacenter to cloud migrations are under-way for the most business and safety critical workloads AWS and our partners are

745 views • 55 slides
ENABLING MICROSERVICE ARCHITECTURES WITH SCALA Kevin Scaldeferri Gilt Groupe Sept 22, 2013 IN

ENABLING MICROSERVICE ARCHITECTURES WITH SCALA Kevin Scaldeferri Gilt Groupe Sept 22, 2013 IN

ENABLING MICROSERVICE ARCHITECTURES WITH SCALA Kevin Scaldeferri Gilt Groupe Sept 22, 2013 IN THE BEGINNING ONE (REALLY) BIG RAILS APP ~1000 models and controllers ~ 200k lines of Ruby ~ 50k lines of PostgreSQL stored procedures

664 views • 41 slides
Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro

Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro

Stateless Microservice Security via QCON SP JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe Why am I here today? QCON SP Microservices architecture case Security opEons OAuth2

820 views • 80 slides
API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb. 28, 2018 Agenda Purpose and Goals Background Current Approaches - Network-level Controls - Application-level Controls - Emerging

785 views • 43 slides
Performance, Energy, and Thermal Considerations for SMT and CMP Architectures Yingmin Li ,

Performance, Energy, and Thermal Considerations for SMT and CMP Architectures Yingmin Li ,

Performance, Energy, and Thermal Considerations for SMT and CMP Architectures Yingmin Li , David Brooks , Zhigang Hu , Kevin Skadron Dept. of Computer Science, University of Virginia IBM T.J. Watson Research Center

245 views • 12 slides
Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation

Enterprise Microservice Platform and Operation Experience Sharing Ivan Hsieh P .1 Agenda Microservice Architecture How to break a Monolith into Microservices

519 views • 36 slides
CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT Chief Scientist @ Container Solutions Wrote "Using Docker" for O'Reilly 40% Discount with AUTHD code Free Docker Security minibook http://www.oreilly.com/webops-perf/free/docker-

1.06k views • 68 slides
Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe

EclipseCon France Stateless Microservice Security via JWT, TomEE and MicroProfile Jean-Louis Monteiro Tomitribe #RESTSecurityWithMP-JWT @JLouisMonteiro @tomitribe EclipseCon France Why am I here today? Microservices architecture case

1.26k views • 69 slides
A snapshot, a stream, and a bunch of deltas Applying Lambda Architectures in a

A snapshot, a stream, and a bunch of deltas Applying Lambda Architectures in a

A snapshot, a stream, and a bunch of deltas Applying Lambda Architectures in a post-Microservice World Q-Con London March 6th 2018 Ade Trenaman, SVP Engineering, Raconteur, HBC Tech t: @adrian_trenaman http://tech.hbc.com t: @hbcdigital

845 views • 48 slides
Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put

Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put

Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put forth in IETF RFC-5069 There are a few problems which seem to be intractable in a wireless environment with unauthenticated users.

133 views • 9 slides
PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3

MINIMIZING THE WINDOW OF COMPROMISE PRACTICAL MTLS Ying Li @cyli PROBLEM TYPICAL MICROSERVICE ARCHITECTURE VPC S1 DB S2 S1 S3 PROBLEM VLAN-TASTIC MICROSERVICE ARCHITECTURE S1 DB S2 S1 S3 PROBLEM CORRECT MICROSERVICE ARCHITECTURE

736 views • 61 slides
6lowpan security considerations Christian Schumacher schumacher@danfoss.com 6lowpan WG 64th

6lowpan security considerations Christian Schumacher schumacher@danfoss.com 6lowpan WG 64th

6lowpan security considerations Christian Schumacher schumacher@danfoss.com 6lowpan WG 64th IETF 7th of November, 2005 Disposition 6lowpan problem areas and scope Current security considerations IEEE802.15.4 2003 specification

616 views • 9 slides
Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis

Data Distribution and Exploitation in a Global Microservice Arteract Observatory Panagiotis Gkikopoulos, PhD student and research assistant, ZHAW and UNINE, Switzerland The Microservice Pattern An increasingly prevalent approach to

300 views • 15 slides
quantitative easing Sini Matikainen - Grantham Research Institute on Climate Change and the

quantitative easing Sini Matikainen - Grantham Research Institute on Climate Change and the

The climate impact of quantitative easing Sini Matikainen - Grantham Research Institute on Climate Change and the Environment, LSE Emanuele Campiglio - Vienna University of Economics and Business Dimitri Zenghelis Grantham Research Institute

479 views • 28 slides
Matthias M uller-Hannemann Affiliation: Chair of Data Structures and Algorithms Department of

Matthias M uller-Hannemann Affiliation: Chair of Data Structures and Algorithms Department of

Matthias M uller-Hannemann Affiliation: Chair of Data Structures and Algorithms Department of Computer Science Martin-Luther-Universit at Halle-Wittenberg, Germany Research: Algorithm Engineering Graph algorithms Combinatorial

274 views • 3 slides
Point Labeling with Sliding Labels in Interactive Maps Nadine Schwartges 1 Jan-Henrik Haunert 2

Point Labeling with Sliding Labels in Interactive Maps Nadine Schwartges 1 Jan-Henrik Haunert 2

Point Labeling with Sliding Labels in Interactive Maps Nadine Schwartges 1 Jan-Henrik Haunert 2 Alexander Wolff 1 Dennis Zwiebler 1 AGILE 14 2 Institut f ur Geoinformatik 1 Lehrstuhl f ur Informatik I und Fernerkundung Universit

1.41k views • 117 slides
GraphHopper GmbH Your Partner for Routing Peter Karich @ New Mobility World Lab16 / IAA

GraphHopper GmbH Your Partner for Routing Peter Karich @ New Mobility World Lab16 / IAA

GraphHopper GmbH Your Partner for Routing Peter Karich @ New Mobility World Lab16 / IAA GraphHopper Directions API Routing tools for developers and business! No end user application GraphHopper Maps Demo Try at graphhopper.com/maps

326 views • 15 slides
Counting modules over numerical semigroups with two generators. Julio Jos Moyano-Fernndez

Counting modules over numerical semigroups with two generators. Julio Jos Moyano-Fernndez

Outline Introduction Lattice paths Syzygies Orbits Counting modules over numerical semigroups with two generators. Julio Jos Moyano-Fernndez University Jaume I of Castelln International meeting on numerical semigroups - Cortona 2014

587 views • 42 slides
Status of the EOSCpilot Scientific Demonstrators Giuseppe La Rocca, 13/03/2018 Sommario Status of

Status of the EOSCpilot Scientific Demonstrators Giuseppe La Rocca, 13/03/2018 Sommario Status of

Status of the EOSCpilot Scientific Demonstrators Giuseppe La Rocca, 13/03/2018 Sommario Status of the EOSCpilot Scientific Demonstrators ............................................................. 1 Summary report from first round of SDs (Jan

799 views • 8 slides
Module 10 XQuery Update, XQueryP Disclaimer: Work in progress!!! 1 Summary of M1-M9 XML

Module 10 XQuery Update, XQueryP Disclaimer: Work in progress!!! 1 Summary of M1-M9 XML

Module 10 XQuery Update, XQueryP Disclaimer: Work in progress!!! 1 Summary of M1-M9 XML and XML Schema serialization of data (documents + structured data) mixing data from different sources (namespaces) validity data

688 views • 54 slides
FAIR Operation Modes Dr. Sabrina Appel, Accelerator Physics Department, GSI, Darmstadt GSI

FAIR Operation Modes Dr. Sabrina Appel, Accelerator Physics Department, GSI, Darmstadt GSI

GSI Helmholtzzentrum fr Schwerionenforschung GmbH FAIR Operation Modes Dr. Sabrina Appel, Accelerator Physics Department, GSI, Darmstadt GSI Helmholtz Centre for Heavy Ion Research Sabrina Appel | Accelerator Physics 14/12/18 GSI

278 views • 7 slides

More recommend