Microservices Security Landscape

Prabath Siriwardenaprabath@wso2.com | prabath@apache.org

ABOUT ME

2

▪ https://github.com/prabath/me | Twitter: prabath

Monolithic

Microservices

Challenges

● Broader attack surface● Performance● Deployment complexities● Observability● Sharing user context● Polyglot architecture

Gateway Pattern at the Edge

OAUTH 2.0

7

AUTHORIZATION CODE GRANT TYPE

8

Gateway Pattern at the Edge

Service to Service SecurityTrust the Network

Service to Service SecurityMutual TLS

Service to Service SecurityMutual TLS + Shared JWT

Service to Service SecurityMutual TLS + JWT (Token Exchange)

Service to Service SecurityMutual TLS + JWT (Proxy)

Service to Service SecurityData Plane

Service to Service SecurityControl Plane

Service to Service SecurityAuthorization: Embedded PDP / Call Home

AuthorizationOpen Policy Agent (OPA)

● A lightweight general-purpose policy engine that can be co-located with your service

● Policies are written in Rego ● Can integrate OPA as a sidecar, host-level daemon, or library● Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka

https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa/

● Netflix is an early adopter of OPA

Service Mesh

Service MeshIstio

Service MeshSPIFFE ~ Trust Bootstrap

Zero Trust Network Principles

● The network is hostile, do not trust it!● Zero Trust is not about making a system trusted, but instead about

eliminating trust on the network● IP addresses and location are no longer practical to establish

sufficient trust for network access

Zero Trust Network Practices● Keep security enforcement points as close as possible to the

resources● Avoid using bearer tokens● Follow least privilege principle● Do contextual access control and make access control decisions near

real-time● Automation● Distributed tracing and monitoring

End-to-End Flow

THANK YOU

wso2.com