This slide deck explores the challenges of securing microservices, best practices to overcome them, and expectation of IAM in the microservice architecture.
Watch video: https://wso2.com/library/conference/2018/07/wso2con-usa-2018-talk-microservices-to-me-the-role-of-iam-in-microservice-architecture/
Talk Microservices to Me: The Role of IAM in Microservice Architecture
1. Technical Lead, WSO2
Talk Microservices to Me:
The Role of IAM in Microservices
Architecture
Darshana Gunawardana
2. Microservices
● The foundation of microservice architecture is about
○ Developing a single application as a collection of small and
independent services
○ That are running in their own process, developed and deployed
independently
● Provides a focused, scoped and modular approach for
application design
● Not just about an architectural pattern
○ Driven by the primary goal - speed to production
3. ● All the services are deployed in the same application
● The application server itself provides session management
features
○ All the services can share a user’s login status
● The interactions between services are local calls
● Authentication is done centrally at an interceptor
● Passing login context varies from one platform to another
Monolithic Applications
6. ● Microservices are independent to each other
○ Each service has to enforce authentication, authorization
● Broader attack surface
● Scalability
○ Each service will serve thousands of requests per second
○ There can be hundreds of microservices
● Performance
● Deployment complexities
● Polyglot architecture
Challenges
7. On behalf of user, need to access
secured microservices by
multiple clients
Problem
11. OAuth 2.0 - Self Contained Access Tokens
OAuth
Authorization
Server
OAuth
Resource
Server
OAuth Client
Get a token to access
the resource on behalf
of the resource owner
Access the resource
Resource
Owner
Grant access to the
OAuth client to access
a resource under a
provided scope
JWT
<Trust>
12. ● Secure development
○ Static, dynamic code analysis to make sure we do not introduce
security vulnerabilities at the code level
○ Should be part of CICD process
○ Should have shorter feedback cycles
● Secure deployment
○ Service-per-host
○ Container level security
● Application level security
○ Authenticating, Authorizing end user
○ Securing channels between microservices
Microservices Security
13. Application level
security
● Edge Security
○ Authenticating end user
○ Authorizing end user against
the common policies
● Service To Service Security
○ Share user context securely
○ Authorizing against specific
policies
18. TLS Mutual Authentication
● Each microservice will have its own certificate to prove its
identity
● How do we provision certificates to each microservice?
● How do we deal with certificate revocations?
● How do we deal with trust bootstrap?
● How do we deal with key rotation?
19. SPIFFE
● Secure Production Identity Framework for Everyone
● SPIFFE tries to solve the trust bootstrap problem in a platform
agnostic manner
● SPIFFE provides an identity to each workload in a
microservices deployment, which is known as the SPIFFE ID
○ E.g.: spiffe://acme.com/billing/payments
● Implementations - SPIRE, Istio
22. JWT (JSON Web Token)
● Defines a container to transport data between interested
parties
● There are multiple applications of JWT
○ In OpenID Connect the id_token is represented as a JWT
● Propagate one’s identity between interested parties
● Propagate user entitlements between interested parties
● Transfer data securely between interested parties over a
unsecured channel
● Assert one’s identity, given that the recipient of the JWT
trusts the asserting party
26. ● Interoperable JWT for authentication and authorization
● Introduce 2 new claims to the MP-JWT
○ "upn": A human readable claim that uniquely identifies the subject
or user principal of the token
○ "groups": The token subject's group memberships
● Enables Role Based Access Control (RBAC)
MicroProfile JWT (MP-JWT)
27. Policy Evaluation (Central PDP)
Single
Container
Single
Container
Single
Container
Microservice
Microservice
Microservice
Single
Container
Microservice
Single
Container
PDP
jwt
jwt
jwt
Authz req
Authz resp
28. Policy Evaluation (Embedded PDP)
Single
Container
Single
Container
Single
Container
Microservice
Microservice
Microservice
Single
Container
Microservice
jwt
jwt
jwt
PDP PDP
PDP PDP
PAP
<Subscribe>
<Subscribe>
<Publish Policies>
29. ● A lightweight general-purpose policy engine that can be
co-located with the service
● Can integrate OPA as a sidecar, host-level daemon, or library.
● Integrated with Spring, Service Mesh implementations (Istio,
Linkerd)
Open Policy Agent (OPA)
31. Docker
● Docker allows to run multiple services on the same host
machine
● Not only exposing a different environment to each of them,
but also isolating them from each other
32. Kubernetes
● Kubernetes abstracts away the hardware infrastructure and
exposes your whole deployment as a single enormous
computational resource
● Allows to easily deploy and manage containerized
applications on top of it
33. Kubernetes (Pods)
Container Container 1 Container 1
Container 2
Pod 1
IP: 10.1.0.1
Pod 2
IP: 10.1.0.2
Pod 3
IP: 10.1.0.3
Container Container 1 Container 1
Container 2
Pod 4
IP: 10.1.0.4
Pod 5
IP: 10.1.0.2
Pod 6
IP: 10.1.0.3
Container 2
Worker Node 1 Worker Node 2
36. ● Microservices paradigm introduces new set of challenges to
enforce security
● Lots of new threads to enforce application, deployment
security in microservices
● API driven strong access delegation capabilities is a MUST for
microservices friendly IAM
Summary