SlideShare a Scribd company logo

Identiverse - Microservices Security

Bertrand Carlier
Bertrand Carlier

This document discusses security approaches for microservices architectures. It begins by defining microservices as an application that calls API endpoints which then call other API endpoints. It then discusses four options for securing communication between microservices: 1) passing cleartext headers, 2) transmitting tokens, 3) using OAuth scopes, and 4) token exchange. Each option has advantages and disadvantages for security and complexity. The document also provides examples of microservices security architectures for three different companies. It concludes that the main challenge is implementing microservices security without mistakes by balancing requirements, capabilities, and choosing appropriate solutions.

1 of 28
Download to read offline
Microservices security. How (not) to? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
© WAVESTONE 2 2800+ consultants On 4 continents & 20+ fields of expertise Who am I? Cybersecurity practice 400+ consultants Paris, New York, London, Hong Kong Adressing all topics within cybersecurity Digital Identity 120+ experts in identity and access management Maturity assessments, roadmap definition, projects design & build Myself Fell into identity circa 2004, handcrafted SAML tokens circa 2007 Standards enthusiast and zelot ever since Remote attendee of Cloud ID Summit for years, first on-site CIS/Identiverse last year @bertrandcarlier
© WAVESTONE 3 Backend APIs What I mean when I say « microservices » An application calling an API endpoint… …calling another API endpoint …calling another API endpoint …calling other API endpoints … This generally also involves CI/CD tools and various degrees of automation Client APIAPI API API API API API API API Front APIs
© WAVESTONE 4 What I mean when I say « microservices » An application calling an API endpoint… …calling another API endpoint …calling another API endpoint …calling other API endpoints … This generally also involves CI/CD tools and various degrees of automation Client APIAPI API API API API API API API Backend APIsFront APIs
© WAVESTONE 5 How to secure microservices 101 Client APIAPI API API API API API API APIAPI Gateway OAuth2 Network isolation Authorization server
© WAVESTONE 6 If only it was that simple…
© WAVESTONE 7 What happens inside? Free all-you-can-reach buffet! Client APIAPI API API API API API API APIAPI Gateway Authorization server Should the front Access Token be propagated? What could the API Gateway swap the front token with? Which APIs can reach which APIs? ? ? ? ?? ? ? ? ? ? ?
© WAVESTONE 8 Option #1. Cleartext headers Client APIAPI API API API API API API APIAPI Gateway Authorization server Not really secure of course / Unless there is a strict network isolation in place, this allows for a lot of attack scenarios › Impersonation › Augmented authorizations › etc. A naïve approach / “Token offloading” at the gate / Developers don’t need to “do” security or crypto stuff {} {} {} {} {} {} {} {} {} {} {} {userid, client_id, access rights, etc.}
© WAVESTONE 9 Option #2. Token transmission Client APIAPI API API API API API API APIAPI Gateway Authorization server But still not the safest / Confused deputy attack: One compromised API allows compromising any network-reachable API (only with initial user identity) A slightly better solution / Allows for user identity & rights integrity / Developers might need to do crypto stuff › One could provide them with helper libraries › API Gateway round trip could be required
© WAVESTONE 10 Option #3. OAuth scopes Client API Gateway Authorization server APIAPI API API API API ? ? ? Still not perfect / Requires to know beforehand all required scopes in the chain / Often requires to define separated (business) API domains / In many cases this solution can be secure enough Introduce notion of service to service controls / API gateway and/or client can generate/manage several tokens with different scopes / Compromission spreading is limited API API API
© WAVESTONE 11 Option #4. Token Exchange Client API Gateway Authorization server APIAPI API API API API Of course it is not perfect / Introduces network latency to get each token / Can be a burden to developers (unless productized in a library) Fined-grained service-to-service control / Access tokens contain the user identity and the list of APIs went across / Authorization server and/or API can enforce any fine-grained policy they wish API API API
© WAVESTONE 12 And many other options! Service-to-service authentication / authorization / Mutual TLS / Client credential token / Self signed JWT / Nested self-signed JWT (see Will Tran’s work at https://github.com/william-tran/microxchg2017) Token validation / API gateway (ie. Reverse Proxy) / Embedded software library (ie. Agent) / Micro-gateways Main difficulties remain / Key management to authenticate services / sign tokens / Define/maintain/centralize fine-grained access policies / By-value JWT / By-reference token
© WAVESTONE 13 Case studies
© WAVESTONE 14 Cheese retail company
© WAVESTONE 15 Cheese retail company • Get or update inventory across branches • Get special deals in real time APIs for in-store sales people on mobile device • Real-time availability • Click to collect • Previous commands and receipts APIs for consumers • Mobile HR APIs • ERP APIs APIs for Human Resources and Finance Cheese supermarkets all over France and now a few other countries. We now have that goat cheese you loved back in stock! This Brie is available in a branch less than 10km from here! Our margin on Époisses is outstanding! This branche’s sales on Comté are really low That smelly Camembert is now 30% off for a limited time! That smelly Camembert is now 30% off for a limited time! This individual will get a 20% raise this year
© WAVESTONE 16 Inventory HR ERP Cheese retail company APIs Fence Network isolation Sub domain isolation / An API Gateway › Check the token validity › Serialize it / A “fence” per functional domain › Check user access rights › PaaS based network isolation › Domain-to-domain requests must go back through fences / Micro-services › Check client access rights An architecture based on three levels
© WAVESTONE 17 Big Bakery Company Pas la meilleur image !
© WAVESTONE 18 Big Bakery Company • New varieties of bread and croissant must hit the market before competitors • Agility to develop new products and means to trade them A classic story of digital transformation • Corporate clients do not want to access apps, they also want APIs • Internal dev teams also want to leverage data and operations through APIs APIs first • Spoiled pains au chocolat or sandwiches can cause severe health troubles • Recipes are very valuable assets that mustn’t leak Strong regulation A well established trading company in the bread and viennoiserie business I’ll just add a pinch of ginger… Let’s patch this croissant with almonds! /GET this sandwich before it expires or /DELETE it! Baguettes as a ServiceI can compose 1815 varieties of donuts now!
© WAVESTONE 19 Big Bakery Company Front APIs, using both user and application right Network isolation A very secure & robust architecture in theory / Token exchange from front to back / Client rights as scopes / User rights as custom claim But actually not fully leveraged / Only the front APIs check the user rights / Backend APIs only check the application rights and (implicitly) trust front APIs to check user rights Check app right Check user right Back-end APIs using only application right Reachable with token 1 Reachable with token 2 Reachable with token 3
© WAVESTONE 20 Wine Company
© WAVESTONE 21 Wine Company • Pay-as-you-drink, next bill estimation based on current consumption Wine as a Service • Suggestion based on previous tastings • AI powered advisor Wine advisor • Data sharing with wine amateurs social networks Third party services integration A utility company for wine. Millions of customers, With your Tournedos Rossini, I suggest you have a Margaux ‘62 I’d say you may very well like a Pommard To meet your target budget, you must have 2 more glasses € Congrats! You just earned the Burgundy Expert badge!
© WAVESTONE 22 Utilities – Wine as a Service Network isolation An approach based on point to point controls… / Using scope (and a strong scope governance) / Using both users and applications right, allows to ensure traceability Soon-to-be-in-production: a micro API Gateway / Deployed in front of each APIs in containers / Based on FOSS module (Apache & mod_auth_openidc) / A one-fits-all solution : Java, Ruby, Node.js, etc. Classical services Micro API Gateway Container
© WAVESTONE 23 3 different environments, 3 different solutions Development agility, feature teams independence Coarse-grained scopes, fine-grained user rights Business domain segregation Very risk averse environment, required traceability Fine-grained user and application rights Token exchange Heterogeneous technologies for API development, unsegmented network Moving to micro-gateways, leveraging CI/CD tools Micro gateways
© WAVESTONE 24 A few rules to balance API security design Different contexts will result in different architectures / Security requirements / Build & deployment automation capabilities / Gateway vs. agents vs. micro-gateways 1 Token transmission & scope management will fit most security requirements / Secure enough in most cases / Relatively easy to implement 2 Consider other options to cover additional security constraints / Service-to-service authentication / Token exchange or nested self-issued JWTs3
© WAVESTONE 25 There are many available blocks to achieve micro-services security. The main difficulty is to build it without mistakes
© WAVESTONE 26 Dou Ohote Raillte!
wavestone.com @wavestone_ Bertrand CARLIER Senior Manager M +33 (0)6 18 64 42 52 bertrand.carlier@wavestone.com riskinsight-wavestone.com @Risk_Insight securityinsider-solucom.fr @SecuInsider
PARIS LONDON NEW YORK HONG KONG SINGAPORE * DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILANO * BRUSSELS GENEVA CASABLANCA ISTANBUL * LYON MARSEILLE NANTES * Partnerships

More Related Content

Identiverse - Microservices Security

  • 1. Microservices security. How (not) to? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
  • 2. © WAVESTONE 2 2800+ consultants On 4 continents & 20+ fields of expertise Who am I? Cybersecurity practice 400+ consultants Paris, New York, London, Hong Kong Adressing all topics within cybersecurity Digital Identity 120+ experts in identity and access management Maturity assessments, roadmap definition, projects design & build Myself Fell into identity circa 2004, handcrafted SAML tokens circa 2007 Standards enthusiast and zelot ever since Remote attendee of Cloud ID Summit for years, first on-site CIS/Identiverse last year @bertrandcarlier
  • 3. © WAVESTONE 3 Backend APIs What I mean when I say « microservices » An application calling an API endpoint… …calling another API endpoint …calling another API endpoint …calling other API endpoints … This generally also involves CI/CD tools and various degrees of automation Client APIAPI API API API API API API API Front APIs
  • 4. © WAVESTONE 4 What I mean when I say « microservices » An application calling an API endpoint… …calling another API endpoint …calling another API endpoint …calling other API endpoints … This generally also involves CI/CD tools and various degrees of automation Client APIAPI API API API API API API API Backend APIsFront APIs
  • 5. © WAVESTONE 5 How to secure microservices 101 Client APIAPI API API API API API API APIAPI Gateway OAuth2 Network isolation Authorization server
  • 6. © WAVESTONE 6 If only it was that simple…
  • 7. © WAVESTONE 7 What happens inside? Free all-you-can-reach buffet! Client APIAPI API API API API API API APIAPI Gateway Authorization server Should the front Access Token be propagated? What could the API Gateway swap the front token with? Which APIs can reach which APIs? ? ? ? ?? ? ? ? ? ? ?
  • 8. © WAVESTONE 8 Option #1. Cleartext headers Client APIAPI API API API API API API APIAPI Gateway Authorization server Not really secure of course / Unless there is a strict network isolation in place, this allows for a lot of attack scenarios › Impersonation › Augmented authorizations › etc. A naïve approach / “Token offloading” at the gate / Developers don’t need to “do” security or crypto stuff {} {} {} {} {} {} {} {} {} {} {} {userid, client_id, access rights, etc.}
  • 9. © WAVESTONE 9 Option #2. Token transmission Client APIAPI API API API API API API APIAPI Gateway Authorization server But still not the safest / Confused deputy attack: One compromised API allows compromising any network-reachable API (only with initial user identity) A slightly better solution / Allows for user identity & rights integrity / Developers might need to do crypto stuff › One could provide them with helper libraries › API Gateway round trip could be required
  • 10. © WAVESTONE 10 Option #3. OAuth scopes Client API Gateway Authorization server APIAPI API API API API ? ? ? Still not perfect / Requires to know beforehand all required scopes in the chain / Often requires to define separated (business) API domains / In many cases this solution can be secure enough Introduce notion of service to service controls / API gateway and/or client can generate/manage several tokens with different scopes / Compromission spreading is limited API API API
  • 11. © WAVESTONE 11 Option #4. Token Exchange Client API Gateway Authorization server APIAPI API API API API Of course it is not perfect / Introduces network latency to get each token / Can be a burden to developers (unless productized in a library) Fined-grained service-to-service control / Access tokens contain the user identity and the list of APIs went across / Authorization server and/or API can enforce any fine-grained policy they wish API API API
  • 12. © WAVESTONE 12 And many other options! Service-to-service authentication / authorization / Mutual TLS / Client credential token / Self signed JWT / Nested self-signed JWT (see Will Tran’s work at https://github.com/william-tran/microxchg2017) Token validation / API gateway (ie. Reverse Proxy) / Embedded software library (ie. Agent) / Micro-gateways Main difficulties remain / Key management to authenticate services / sign tokens / Define/maintain/centralize fine-grained access policies / By-value JWT / By-reference token
  • 14. © WAVESTONE 14 Cheese retail company
  • 15. © WAVESTONE 15 Cheese retail company • Get or update inventory across branches • Get special deals in real time APIs for in-store sales people on mobile device • Real-time availability • Click to collect • Previous commands and receipts APIs for consumers • Mobile HR APIs • ERP APIs APIs for Human Resources and Finance Cheese supermarkets all over France and now a few other countries. We now have that goat cheese you loved back in stock! This Brie is available in a branch less than 10km from here! Our margin on Époisses is outstanding! This branche’s sales on Comté are really low That smelly Camembert is now 30% off for a limited time! That smelly Camembert is now 30% off for a limited time! This individual will get a 20% raise this year
  • 16. © WAVESTONE 16 Inventory HR ERP Cheese retail company APIs Fence Network isolation Sub domain isolation / An API Gateway › Check the token validity › Serialize it / A “fence” per functional domain › Check user access rights › PaaS based network isolation › Domain-to-domain requests must go back through fences / Micro-services › Check client access rights An architecture based on three levels
  • 17. © WAVESTONE 17 Big Bakery Company Pas la meilleur image !
  • 18. © WAVESTONE 18 Big Bakery Company • New varieties of bread and croissant must hit the market before competitors • Agility to develop new products and means to trade them A classic story of digital transformation • Corporate clients do not want to access apps, they also want APIs • Internal dev teams also want to leverage data and operations through APIs APIs first • Spoiled pains au chocolat or sandwiches can cause severe health troubles • Recipes are very valuable assets that mustn’t leak Strong regulation A well established trading company in the bread and viennoiserie business I’ll just add a pinch of ginger… Let’s patch this croissant with almonds! /GET this sandwich before it expires or /DELETE it! Baguettes as a ServiceI can compose 1815 varieties of donuts now!
  • 19. © WAVESTONE 19 Big Bakery Company Front APIs, using both user and application right Network isolation A very secure & robust architecture in theory / Token exchange from front to back / Client rights as scopes / User rights as custom claim But actually not fully leveraged / Only the front APIs check the user rights / Backend APIs only check the application rights and (implicitly) trust front APIs to check user rights Check app right Check user right Back-end APIs using only application right Reachable with token 1 Reachable with token 2 Reachable with token 3
  • 21. © WAVESTONE 21 Wine Company • Pay-as-you-drink, next bill estimation based on current consumption Wine as a Service • Suggestion based on previous tastings • AI powered advisor Wine advisor • Data sharing with wine amateurs social networks Third party services integration A utility company for wine. Millions of customers, With your Tournedos Rossini, I suggest you have a Margaux ‘62 I’d say you may very well like a Pommard To meet your target budget, you must have 2 more glasses € Congrats! You just earned the Burgundy Expert badge!
  • 22. © WAVESTONE 22 Utilities – Wine as a Service Network isolation An approach based on point to point controls… / Using scope (and a strong scope governance) / Using both users and applications right, allows to ensure traceability Soon-to-be-in-production: a micro API Gateway / Deployed in front of each APIs in containers / Based on FOSS module (Apache & mod_auth_openidc) / A one-fits-all solution : Java, Ruby, Node.js, etc. Classical services Micro API Gateway Container
  • 23. © WAVESTONE 23 3 different environments, 3 different solutions Development agility, feature teams independence Coarse-grained scopes, fine-grained user rights Business domain segregation Very risk averse environment, required traceability Fine-grained user and application rights Token exchange Heterogeneous technologies for API development, unsegmented network Moving to micro-gateways, leveraging CI/CD tools Micro gateways
  • 24. © WAVESTONE 24 A few rules to balance API security design Different contexts will result in different architectures / Security requirements / Build & deployment automation capabilities / Gateway vs. agents vs. micro-gateways 1 Token transmission & scope management will fit most security requirements / Secure enough in most cases / Relatively easy to implement 2 Consider other options to cover additional security constraints / Service-to-service authentication / Token exchange or nested self-issued JWTs3
  • 25. © WAVESTONE 25 There are many available blocks to achieve micro-services security. The main difficulty is to build it without mistakes
  • 26. © WAVESTONE 26 Dou Ohote Raillte!
  • 27. wavestone.com @wavestone_ Bertrand CARLIER Senior Manager M +33 (0)6 18 64 42 52 bertrand.carlier@wavestone.com riskinsight-wavestone.com @Risk_Insight securityinsider-solucom.fr @SecuInsider
  • 28. PARIS LONDON NEW YORK HONG KONG SINGAPORE * DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILANO * BRUSSELS GENEVA CASABLANCA ISTANBUL * LYON MARSEILLE NANTES * Partnerships