Microservices and Security: A Connection Worth Making

By Shrey Fadia, Analyst & Consultant  |  May 02, 2019

According to a Lightstep Microservices Trends report, most IT professionals (86%) expect microservices to be the default by 2022, affirming the notion that we are well into the next significant transformation of digital architectural design.

On the trajectory from client-server to web to mobile and now to a world of extreme digital transformation, we’re now fully into the age of microservices.

But how will we secure data and protect applications from attacks in this more granular world? Given the agility of microservice applications, the value is undeniable. But if these services are rolled out with security – and the network – as an afterthought, we could be in for serious risk and the usual “unanticipated consequences” of racing to adopt better, new technologies without considering the dark side.

Microservices are truly disruptive, not only because of the architecture but because they are most likely to be deployed using containers, and concerns about protecting an even more fragmented and growing attack surface are keeping security and network operations professionals awake at night. Why? Because now they are responsible for delivering secure app endpoints.

This takes us to what an endpoint is, which itself is morphing especially as the IoT brings more and diverse “things” to enterprise, government and organizations’ connected environments. Microservices are enhancing edge applications, even as the edge of the network is taking on more compute responsibilities for all the right reasons.

And every endpoint needs to be secured against attack and exploitation as the attack surface grows, and this is slowing down, in some cases, adoption of highly valuable solutions given concerns about everything from direct attacks to pivot attacks.

We asked Rick Conklin, CTO of Dispersive Networks, what can be done to address security for microservices in as scalable as way as possible to make implementations viable long term.

“Microservices rely on a loosely coupled and independently deployable model,” Conklin explained. “They can be spun-up anywhere and on-demand.  Those services will require connectivity, and that connectivity must support that elastic deployment model, and it must be secure while leveraging the ubiquitous public Internet.  Deploying microservices over the public Internet is best done using a virtual network overlay that supports microsegmentation, zero trust, and an elastic, on-demand model while providing the confidentiality, integrity, availability, and performance that the end user demands from those microservices.”

Conklin also recommended a strategy for APIs which can be created to establish virtual application endpoints in the same way applications are spun up and scaled on bare metal virtual servers.

“The legacy SD-WAN solution is optimized for site-to-site connectivity, not mobility, not IoT, not blockchain, and certainly not microservices,” Conklin said. “We need a better model for micro-services including software-defined perimeter and zero trust to ensure that every session can rely on the network to ensure integrity, confidentiality, availability, authentication, authorization, access, and performance while operating in a zero-trust environment with zero-touch provisioning. That includes confidentiality for sensitive data that is normally sent in the clear including TLS 1.2 headers, DNS requests, and key negotiation.  We’re in a completely different game with microservices, which is why we’ve been building networking software which includes security that can protect every endpoint and service.”

Using a virtual endpoint can also be enhanced with software that defends against attacks, including rate limiting and bot detection. Rate limiting prevents microservices from being overwhelmed, and bot detection can prevent automated scanners from finding and exploiting vulnerabilities in microservices.

“Microservices allow enterprises and governments to free themselves from expensive, complex, monolithic architectures when building and deploying applications,” Conklin said. “Microservices offer advantages and disadvantages when it comes to security; given the proliferation of separate APIs and ports per app, there are simply more doors for adversaries to access within an application.”

While containers can serve as an excellent security perimeter for microservices, it’s important to take into consideration the full requirement for a software-defined perimeter.

“Containers enable you to apply security to each individual service — making them ideal for microservices. And no matter the application, putting it in a container provides an added layer of security,” said David Lawrence, a senior software engineer at Docker. “We see a common trend across enterprises is to containerize legacy applications, and as a result, gain the immediate benefit of hardened security — in addition to cost-efficiencies and portability to hybrid cloud environments.”

In summary, microservices security brings with it new challenges. The DevOps, network ops and security ops teams in every organization must be on high alert, even more, vigilant against unauthenticated access to data and weak policies and enforcement of policies which can lead to man-in-the-middle attacks, and the loss of sensitive and confidential information.

Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]