When it comes to microservices applications, appropriately dealing with security measures is highly important. As microservices-based software is a composition of decentralized and loosely-coupled services, you risk facing tangible security threats. Especially when your app is deployed on a cloud platform. That’s why today we’re discussing some extra precautions you have to consider while creating a microservices ecosystem.
Security in Microservices: 3 Main Things to Remember
Following our course on Microservices basics, you already know the specifics of microservice architecture, particularly the need to use API gateways as a single entry point for client requests. Its purpose is to provide a secure communication passage between numerous app’s services and a client-side by authenticating requests and forwarding them to appropriate services that can, in turn, invoke other required services.
The problem to solve from the security concept’s side is how to verify the identity of a client and pass it to the service that would handle a particular request?
1. Authentication and Authorization
These are the two terms we use for the components of the system that enforce the control over access rights to services and apply the security policies.
The authentication technology determines whether a client is who or what it states itself to be. If the client’s credentials successfully match the credentials in an app’s database of authorized users or a data authentication server, the identification process is passed. Then, the authentication component provides a client or a service with access control for other services or permission to make calls to them. The most common example of authentication technology is the login and password form.
So, to communicate with each other and external clients securely, each of your app’s services has to have a unique identity to be authenticated and authorized as a single entity. It’s not an easy task to accomplish — your system might have hundreds of microservices of various sizes and levels of digitalization.
Authorization is the process of determining who to grant the privileges of use and permission to do something inside the system. Basically, it’s who is allowed to do what. Single sign-on technology ensures that once logged in, the user won’t have to log in again and again to access the needed service.
It’s the next step that follows the authentication procedure. Your app’s services are going to need a confirmed verification that a client or another service is authorized to perform a particular action. Authorization solves the problem of assigning access rights to resources of the distributed system to an appropriate user. Your microservices won’t have to deal with authentication and authorization forms and users’ credentials storage. For this, you’ll have an identity and access management system.
You’ve probably heard of such famous authentication protocols as OpenID, OAuth/OAuth2, Kerberos, and good old SAML. Also, there are well-known identity and access management systems like Okta, Keycloak, and Shiro. All of these tools are at your disposal.
2. API Security
API gateway allows your microservices to share the functionality with other apps over a defined UI existing between these applications and your own. The inputs and outputs of such UIs can be secured, unexposed, and internal to the apps’ modules. At the same time, they might be exposed outside the app’s ecosystem to receive and transmit data to other external UIs.
You’ll have to apply more scalable methods to secure your API than the usual centralized session management. Your gateway is usually responsible for dealing with both authentication and authorization procedures at the level of microservices. So, you should build your security model in a way to allow the delegation of tasks to the microservices level.
The previous paragraph leads us to another extra element of security that API gateways bring to the app’s system — token-based authentication. As the API shields the microservices from a client, a client can’t access any service directly or exploit it. Which leads to the question of how a service communicates a client’s identity once it authenticates to the other microservices in a distributed system?
The solution is by using access tokens that allow you to record the clients’ credentials. The access tokens (e.g., JSON Web Token or session cookies) securely store users’ data and easily identify them each time they try to access the microservices system. API gateway forwards the client’s request to the server that assesses whether or not the client has permission to use the requested service.
3. The Concept of Access Tokens
The previous paragraph leads us to another extra element of security that API gateways bring to the app’s system — token-based authentication. As the API shields the microservices from a client, a client can’t access any service directly or exploit it. Which leads to the question of how a service communicates a client’s identity once it authenticates to the other microservices in a distributed system?
The solution is by using access tokens that allow you to record the clients’ credentials. The access tokens (e.g., JSON Web Token or session cookies) securely store users’ data and easily identify them each time they try to access the microservices system. API gateway forwards the client’s request to the server that assesses whether or not the client has permission to use the requested service.
An access token then exchanges the information about the client between other assigned services to let them determine if a token itself is valid. The microservices pull the client’s data out of token and perform the verification procedure to ensure that the client is authorized to use the service. Each service can use the access token when calling other services.
The most important thing is that the data stored in tokens have to be encrypted to prevent security breaches caused by any third-party applications. For example, JSON format is an open standard that a priori encrypts the access tokens and provides supporting libraries for various programming languages.
Final Words
Security patterns in microservices-based applications are to be kept in mind since you can’t leave your software product unprotected in any case, much less when your architecture is distributed. While API and authentication and authorization technologies are a must-have, the token-based approach also has some tangible benefits to consider. First of all, it stores and passes the identity of the caller between the microservices securely. What’s more, the services can verify by themselves if the client is authorized to use their functionality.
In recent years, the DevOps approach has greatly improved the security testing practices and integrated them into the development lifecycle. If you struggle with the matter of securing your microservices ecosystem, give us a call or send an email, we’ll try to find the optimal solution for your problem.