As companies increasingly move to microservices, they discover the security challenges they pose. Learn about security in a microservices architecture, and about security best practices to ensure your microservices application is secure.
What are microservices?
A microservice-based architecture, often referred to as microservices, is an approach to software development where developers build the application as a set of modular components or services, each with a specific task or function. Each modular component is known as a microservice, and microservices can interface with each other using Application Programming Interfaces (APIs).
This approach has gained popularity with development teams, as it facilitates continuous integration and continuous deployment for large applications. Microservices adapt easily to a company’s needs as its technology evolves and scales up.
Microservices versus monolithic architecture
The microservices architecture contrasts with the traditional monolithic application model. The latter is structured as a single tier, making it easier to stand up quickly and integrate reliably with well-known integrated development environments (IDEs), frameworks, and tools. However, as monolithic applications age, their shortcomings begin to show.
As engineers supporting the application come and go, they take intimate knowledge of the application’s interdependencies. This makes it increasingly difficult to move development forward at the pace an organization needs.
By separating the application’s functions in a microservice architecture, developers can decouple the different components of an application, and iteratively improve on these functions independently, without as many complex dependencies. New technologies, libraries and services can be introduced as they become available.
Microservices security challenges
Yet microservices are not magic bullets, and implementing microservices in application development brings unique security challenges. As with traditional software, application security is critical to ensure your application is fit for use and sensitive data is protected. If done incorrectly, the damage to reputation and the business bottom line can be extensive: research shows the global average cost of a data breach is $4.35 million, and it takes about nine months to identify and contain a breach.
Roughly a decade ago, organizations recognized this and began to “shift left” with their software security initiatives (SSIs). The goal is to find and remediate problems before they are exploited. This has proven very effective, with the rise of DevSecOps methodology, and we are now seeing a drive to “shift everywhere”.
Research from Gartner shows that security vendor consolidation is significantly on the rise in 2022 because security and risk management leaders are increasingly dissatisfied with the operational inefficiencies and lack of integration of a heterogeneous security stack, and that 65% of organizations consolidate to improve risk posture.
Specifically, the microservices deployment requires new approaches to development, security, and operations delivery. Applications built from microservices add complexity and moving parts, and the traditional approaches for managing and securing monolithic applications no longer apply.
Looking specifically at application security, effective methods for microservices are substantially different from those that work for monolithic applications. For the latter, a security team often uses centralized security modules, which cover access control (user context, authentication, authorization, and other critical measures).
However, in a microservices architecture, centralization diminishes the advantages of distributed deployment and reduces efficiency to secure microservices. In fact, most traditional, host-based network security tools cannot guarantee container security because they do not offer the ability to monitor microservice activity within a container, exposing the entire application to security vulnerabilities.
There are tools & practices that help address some of this complexity. The “bill of materials” SBOM approach continues to gain traction, as it encourages developers to have a running inventory of services and software components. Also, consider the various flavors of posture management and attack surface management solutions now available.
Ultimately, application complexity grows as does the security stack around them, it becomes increasingly important to have a single security data lake and analytics tool that can visualize and provide insights on all of this digital exhaust. Sumo Logic, for example, integrates across the full security stack and eliminates the need to swivel between solutions, and correlates across them for more meaningful insights. Metrics Events Logs & Tracing (MELT) can now be integrated into security workflows by defenders and developers alike.
Securing your public and private APIs
In general, but for cloud-native applications in particular, APIs play a central role in microservices, connecting multiple microservices and allowing them to interact. These APIs come in two main types: public and private. Public APIs are those that consumers use to access a resource or service through an app, while private APIs are those that teams use for larger applications that communicate between owners of different services.
Securing both public and private APIs is a must. Given the distributed nature of microservices, this can be a major challenge for a security team, who can easily lose visibility of API security because architecture patterns constantly change. The last thing you want are “leaky APIs”.
An added benefit of building things “API first”, is that these same APIs that power the cloud applications can also be used in automated security response actions and playbooks to resolve issues with minimal manual effort. Removing access keys, disabling accounts, whitelisting/blacklisting communications can all take advantage of automations done through APIs.
An API gateway is one strategy for easily managing multiple interfaces into services. And this strategy can enable some firewall protection within the microservices architecture. By placing the API gateway behind a firewall, you can essentially place a firewall around all your microservices. Effectively managing authorization and authentication can add a scalable layer of protection to the attack surface.
Delegate security to the level of individual microservices
To ensure an application is fit for purpose and warranty, an organization needs to establish access control and state how users will access multiple microservices within it. While it is possible to structure the application so it makes direct calls to each service, this can lead to highly complex code, involving an overwhelming number of service calls. Instead, many companies establish a dedicated server to function as an API gateway, providing a single point of entry and directing traffic into the multiple microservices.
Application security within an API gateway requires a more scalable approach than centralized session management. Ensuring that a user is who they claim to be and that they are allowed access to a service, these gateways typically handle authorization and authentication at the microservice level.
To keep your solutions efficient, allow delegation to the level of the individual microservice when you structure your model. Also, implement microsegmentation wherever possible. By grouping noes in cloud environments by logical function, you are able to isolate systems in the event that there is a compromise and reduce the blast radius.
Embrace a DevSecOps model
A microservice application is easy to set up and deploy across different platforms. Security teams often have a difficult time keeping pace with the increased surface area to protect. Compounding this is the reality that microservices break applications into smaller components, which increases traffic for monitoring and complicates access rules. In addition, many microservices also run inside cloud environments with their own types of security controls.
With the security services market catching up to the rapid adoption of microservices, a gap currently exists for available security testing solutions. With an abundance of exposed ports and APIs, microservices cannot be managed effectively with traditional firewalls that establish a perimeter around a network of connected servers. This new arrangement requires a distributed approach to securing the attack surface and reducing vulnerability.
Teams across development, operations, and security need to be on board. Security, operations, and development personnel need to collaborate across functions in a DevSecOps arrangement that prevents security from taking a back seat in the development of new capabilities. Teams can use security principles in the development of their code and have their code peer reviewed for security before deployment.
Creating a microservices security strategy
With security becoming an increasingly complex challenge for organizations switching to microservices, a cultural shift and a new mindset are necessary foundations for a functioning security strategy. Of course, there are many architectural considerations for deploying a secure microservices model, which we will explore next.
Use federated identity and authentication
Identity and Access Management will always be at the core of cybersecurity. This holds true within applications as well. Most applications within a microservices architecture require methods for controlling access management and authorization.
Some organizations with very specific security needs build their own authorization protocols to handle this requirement. However, frameworks and protocols like OAuth 2.0, OpenID, and SAML create standards for federated authentication. Understand the use cases for each technology. Cloud Service Providers offer a variety of IAM tools to fit almost any need. Three crucial benefits to a good IAM strategy are improved credential isolation, least privilege, and auditability.
Think automatic and atomic
The wide distribution and granularity of a microservice architecture can make it difficult to scale security solutions manually to cover all the services within. At the start of a microservices build, it is vital to establish automation for scaling security controls.
As an organization updates parts of its system, it needs to continuously test the system to catch any issues. All components should be wrapped within a container, so that testing the application only requires wrapping another container around it. Build scalable metrics, logs and tracing functionality into the development process. Look for vendors that leverage newer open source telemetry solutions like OpenTelemetry to avoid vendor lock-in.
Unify log management
Log data contains critical information on potential security events. When a security issue occurs, teams go to the logs or to the code first. Logs are the key to improved troubleshooting, security, and business intelligence, but are often stuck in silos and lost in a sea of noise. By adopting a unified log management system, you can increase the speed of threat detection. This gives your teams what they need to determine what is worth investigating and explore the unknown unknowns, so they can stop breaches, detect indicators of compromise (IOCs), and turn your data into actionable threat intelligence.
Final thoughts
As microservices gain traction among development teams, organizations can deploy new applications and services at a rate they could not achieve with traditional, monolithic application architectures. Along with these advancements comes the necessity for new approaches to security. Standard network tools, firewalls, and central monitoring resources are falling short in scalability and expose companies to security vulnerabilities.
If teams can effectively establish DevSecOps for building security into the development process, deepen and distribute their security programs, and efficiently manage access control through an API gateway, they can keep their security up to speed with the dynamic nature of the application development processes.
The most appropriate microservices security architecture requires you to understand the application, the different teams, and the organizational culture, so you can formulate and implement security best practices that make sense for your DevSecOps teams. The stakeholders and product team should be looking for the fastest path to deliver features.
How can Sumo Logic help you secure your microservices?
Securing microservices is critical if your organization believes they are right for you. Learn more about how Sumo Logic can help you modernize your security operations using a highly scalable cloud-native platform, so you can secure and protect against modern threats.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.