The Role of IAM in Microservices
•
2 gostaram•2,138 visualizações
This slide deck explores the challenges of securing microservices, best practices to overcome them, and how WSO2 Identity Server can be used in microservice architecture. Watch webinar recording here: https://wso2.com/library/webinars/2018/09/the-role-of-iam-in-microservices/
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a The Role of IAM in Microservices
Semelhante a The Role of IAM in Microservices (20)
Mais de WSO2
Mais de WSO2 (20)
Último
Último (20)
The Role of IAM in Microservices
- 1. The Role of IAM in Microservices Darshana Gunawardana Technical Lead, WSO2 Farasath Ahamed Senior Software Engineer, WSO2
- 2. WSO2 At-A-Glance Colombo, London, Mountain View, New York, São Paulo, Sydney Founded 2005, Backed by Cisco and Toba Capital 500+ Employees (300 Engineers) Open Source 450+ Customers, 175 New Customers in 2017 $25m Sales in 2017 53% YoY growth
- 3. 3 Microservices ● Microservice architecture is ○ A single application as a collection of small and independent services ● Independent services ○ Developed independently ○ Deployed independently ○ Run independently ● Not just about an architectural pattern ○ Driven by the primary goal - speed to production
- 4. 4 Monolithic Applications ● All the services are deployed in the same application server ● Few entry points - intercepted and enforced security ● The application server itself provides session management features ○ All the services can share a user’s login status ● The interactions between services are local calls
- 5. 5 Monolithic Applications + IAM User Session Single Container I n t e r c e p t IAM
- 8. 8 Challenges ● Broader attack surface ● Microservices are independent to each other ○ Each service has to enforce authentication and authorization ● Scalability ○ Each service will serve thousands of requests per second ○ There can be hundreds of microservices ● Performance ● Deployment complexities ● Polyglot architecture
- 9. 9 Will Current IAMs Become Obsolete? ● Business requirements ○ Strong authentication ○ Merging/Acquisitions ○ Social logins ● Capabilities ○ Multi-factor and adaptive authentication ○ Identity federation ○ Authorization policies ● Access delegation becomes more prominent
- 10. Protected resources using OAuth 2.0 Secure endpoints?
- 11. 11 OAuth 2.0 Microservices (Resource Server) IAM (Authorization Server) Client Get a token to access the resource on behalf of the resource owner Access the resource Grant access to the client to access a microservices under a provided scope Resource Owner Introspect
- 12. 12 OAuth 2.0 - Self Contained Access Tokens IAM (Authorization Server) Microservices (Resource Server) Client Get a token to access the resource on behalf of the resource owner Access the resource Resource Owner Grant access to the client to access a microservices under a provided scope JWT <Trust>
- 13. 13 Microservices Security ● Secure development ○ Static, dynamic code analysis ○ Dependency screening ○ Should be part of CICD process ○ Should have shorter feedback cycles ● Secure deployment ○ Service-per-host ○ Container level security ● Secure endpoints ● Service to service security
- 14. Secure Endpoints
- 15. 15 Secure Endpoints IAM (Authorization Server) Microservices (Resource Server) Client Get a token to access the resource on behalf of the resource owner Access the resource Resource Owner Grant access to the client to access a microservices under a provided scope JWT <Trust>
- 18. Demo Time!
- 21. 21 TLS Mutual Authentication ● Each microservice will have its own certificate to prove its identity ● How do we provision certificates to each microservice? ● How do we deal with certificate revocations? ● How do we deal with trust bootstrap? ● How do we deal with key rotation?
- 22. 22 SPIFFE ● Secure Production Identity Framework for Everyone ● SPIFFE tries to solve the trust bootstrap problem in a platform agnostic manner ● SPIFFE provides an identity to each workload in a microservices deployment, which is known as the SPIFFE ID ○ E.g. spiffe://acme.com/billing/payments ● Implementations - SPIRE, Istio
- 23. 23 JWT (JSON Web Token) ● Defines a container to transport data between interested parties ● There are multiple applications of JWT ○ In OpenID Connect the id_token is represented as a JWT ● Propagate one’s identity and user entitlements between interested parties over a unsecured channel
- 24. 24 Self Issued Access Tokens CA Microservice B Microservice A Access the resource JWT <Trust>
- 25. Access Control
- 26. 26 MicroProfile JWT (MP-JWT) ● Interoperable JWT for authentication and authorization ● Introduce 2 new claims to the MP-JWT ○ "upn": A human readable claim that uniquely identifies the subject or user principal of the token ○ "groups": The token subject's group memberships ● Enables Role Based Access Control (RBAC)
- 27. 27 Policy Evaluation (Central PDP) Single Container Single Container Single Container Microservice Microservice Microservice Single Container Microservice Single Container PDP jwt jwt jwt Authz req Authz resp
- 28. 28 Policy Evaluation (Embedded PDP) Single Container Single Container Single Container Microservice Microservice Microservice Single Container Microservice jwt jwt jwt PDP PDP PDP PDP PAP <Subscribe> <Subscribe> <Publish Policies>
- 29. 29 Open Policy Agent (OPA) ● A lightweight general-purpose policy engine that can be co-located with the service ● Can integrate OPA as a sidecar, host-level daemon, or library ● Integrated with Spring, Service Mesh implementations (Istio, Linkerd) Service OPA Query Decision DataPolicy
- 31. 31 Docker ● Docker is a way to package application or a service ● Abstracts technologies need to run the service to a container ● Run multiple services (container) on the same host machine ○ Different environment to each of them ○ Isolating each other
- 32. 32 Kubernetes ● Container orchestration system ○ Abstracts away the hardware infrastructure ○ Deployment as a code ● Allows to easily deploy and manage containerized applications on top of it ● Introduces another level of isolation ○ Pod - A logical grouping of containers that is deployed in the same physical host ○ Communication cost is very low for containers within the pod ○ Enables Sidecar pattern
- 33. 33 Kubernetes (Pods) Container Container 1 Container 1 Container 2 Pod 1 IP: 10.1.0.1 Pod 2 IP: 10.1.0.2 Pod 3 IP: 10.1.0.3 Container Container 1 Container 1 Container 2 Pod 4 IP: 10.1.0.4 Pod 5 IP: 10.1.0.2 Pod 6 IP: 10.1.0.3 Container 2 Worker Node 1 Worker Node 2
- 35. 35 Security Sidecar - Inbound Single pod Microservice Security Sidecar Introspection PDP
- 36. 36 Security Sidecar - Outbound Token Single pod Microservice Security Sidecar User-Info
- 37. Demo Time!
- 38. 38 Security Sidecar Request Microservice JWT+ IS Fetch Public Key Security Sidecar (JWT Validation) Request User-info+
- 39. 39 IAMs Role ● Provide strong access delegation capabilities ● Provide flexible token exchange capabilities ● Support for standard APIs to integrate with security sidecars ● Ability act as a lightweight STS
- 40. 40 Summary ● Microservices paradigm introduces new set of challenges to enforce security ● Lots of new trends to enforce edge, channel security in microservices ● API driven strong access delegation capabilities is a MUST for microservices friendly IAM