Microservices are becoming the de facto approach to how new applications are built today. Although there are many benefits to microservices, the security risks associated with microservices are growing faster than current security practices can handle.
To understand why this is, and how it can be addressed, here is a brief overview on microservices. In a future article, we will cover the technical architecture of microservices in more depth.
What is a Microservice?
As the name implies, a microservice is a very small, self-contained application that is designed to perform a limited scope of functionality. Alone, a microservice doesn’t accomplish much. The power comes when you combine multiple microservices together to create a fully functional application.
Why are Microservices beneficial?
Microservices started as an alternative development approach after the headaches to maintaining large, all-in-one applications. Because all-in-one applications had poor boundaries between areas of code, changes could unknowingly impact other areas of the application causing unexpected development delays and cost. Affectionate phrases like monolithic applications and spaghetti code came out of such headaches.
The benefit of microservices is that it allows complex applications to be broken down into discrete components. With clear boundaries, microservices can be coded by different teams at the same time without the risk of disrupting each other. Microservices are also great for scaling an application because it is more efficient to increase the microservices that are in demand than create a new instance of the entire, all-in-one application.
How has the rise of Microservices impacted Application Security?
The downside of microservices is security. Now that you have more autonomous pieces that make up your application, you have more things to secure.
In the world of securing microservice applications, you need to consider the integration, governance, and the overall architectural complexity. Not only has the number of microservices increased, but microservices are being consumed by more endpoints such as mobile devices and the Internet-of-Things (IoT).
From a high level, the following diagram depicts a simple web application transaction:
In a microservice architecture, the same high-level diagram will look more like this:
On top of the additional complexity, it is likely that orchestrations and routes would create new service interactions that the original application developers never envisioned.
As microservice architectures become more prevalent, and I believe they will, service endpoints will be more fluid and rapidly added to pre-existing workflows. The speed of deployment and unpredictable workflows will create an application security nightmare.
Security has traditionally moved slowly. It takes time to establish policies and procedures and to evaluate risk as things change. This model can’t work for microservices. In order to keep up with the rate of change that microservices create, security needs to shift from being outside the application to INSIDE the application.
How Can Microservices Be Secured?
What if you could inject governed security controls into services directly? If this were possible, the integration and consistency of security deployments would become near zero. Such an approach would allow developers to add new capabilities confident that their service is compliant with the security architecture. It would also give security personnel less reason to worry if security policies are being applied to every service appropriately.
Products such as SecurePaaS are designed to do exactly this. SecurePaaS introspects, federates, and injects Identity, Authentication, Authorization, & Auditing (IAAA) into an application’s source code automatically, without developer intervention. This automation allows developers to focus more on application functionality and less on manual security integration and ensures that there is consistency in how the security is applied.
If you are interested in learning more about SecurePaas, you can visit securepaas.com.