Microservices are an amazing evolution in web-app architecture. They are arguably the catalyst for organizations adopting the concept of continuous integration and continuous development, or CI/CD. Microservices have broken organizational siloes and enabled the fast and agile development of web apps. But a microservice-based application may increase risk for organizations if security is not taken into consideration — especially when deployed in combination with cloud.

In this blog post, we’ll explore three of many considerations when securing your microservices environment. The goal is to more efficiently manage risk by incorporating access control, visibility, and security testing as core design and operational goals.

1) Tightening Down Access Control

At the user level: From an identity and access management aspect, all users should be uniquely identified. Abstract the function of global authentication and authorization away from individual microservices and use a central directory service as a single source of identity and authentication. Consider an API gateway as the central entry to hide the individual services externally. Protocols such as OpenID can be deployed for authentication. You can use OAuth-based authorization, especially when dealing with data requests from third-party apps.

At the microservices level: Every microservice is a specialized process, so it is a good idea to only allow it to access necessary resources. This creates a smaller attack surface because a vulnerability in just one microservice won’t expose the rest of the system to an attacker. A distributed firewall builds fine-grained access control between services so that containers have safe dividers between the various services. This applies to the level of access required, as well. For instance, a microservice that merely checks inventory availability should be granted read permissions to a database rather than read/write if there is no need for it to create or change existing information.

On top of segmentation, apply mutual authentication between microservices using mutual TLS (mTLS), which also encrypts the data transmission between microservices. With mTLS, a certificate needs to be generated for each microservice. The microservices are authenticated with each other’s certificates. Keep in mind that in the microservice operating environment, there might be a large number of dynamic microservice instances that necessitate a smooth and automatic certificate creation and distribution mechanism. An internal PKI/CA can be used to provide certificate management, including issuing, revoking, and updating.

2) Ramping Up Visibility

You should design visibility into the entire infrastructure. From a DevOps perspective, the team needs deep visibility inside containers. Configure performance alerts for the service and not the container because application performance and availability are what’s important. Monitoring microservices is crucial because they may be elastic in nature and not bound to one location. But monitoring microservices is just the tip of the iceberg.

The expansive and high-scale potential of a microservices environment amplifies the crucial need for detailed documentation on each microservice. The documentation should clearly illustrate the function each microservice serves to help expose potential weaknesses and accelerate triage during an outage or attack. Service graphs help to map out the communication between microservices to identify potential problem areas and irregular behavior that might signify a vulnerability exploit or hijack.

3) Operationalizing Security Testing

Finally, in line with CI/CD is continuous security testing for added security assurance of the CI/CD pipeline and underlying platform. Properly define the scope, frequency, and method of security testing to make it effective and yield the desired insights.

Security smoke tests should check for drift from baseline security requirements such as unnecessarily open ports and services. Penetration tests should simulate actual attack scenarios and look for excessive developer privileges and weak passwords on the orchestrator platform.

Continuous container monitoring during runtime helps in protecting applications from malicious code injection through an external or internal user interface, malware infection, and other attack tactics.

Microservices are a great thing for the business and for IT, but you must manage them appropriately to ensure the organization remains secure. The goal is to more efficiently manage risk by incorporating access control, visibility, and security testing as core design and operational goals.

Learn how Citrix ADC can integrate and help secure your applications and APIs in a cloud-native environment.

Topics

Products

The top 3 considerations when securing your microservices architecture

The top 3 considerations when securing your microservices architecture

1) Tightening Down Access Control

2) Ramping Up Visibility

3) Operationalizing Security Testing

Tagged under:

You might be interested in

Cybersecurity for financial services

Stay Informed.
Subscribe Today.

Citrix 2024 roadmap: Protecting business-critical apps and data

Mitigating Credential Risks with Citrix Technology: A Comprehensive Approach

Cybersecurity for financial services

Citrix 2024 roadmap: Protecting business-critical apps and data

Mitigating Credential Risks with Citrix Technology: A Comprehensive Approach

Introducing Seamless Profile Sync with Remote Browser Isolation

Evolution of Cybersecurity in Healthcare: Insights from a CIO

Surfing Through 2023: Navigating the features from the Citrix Enterprise Browser’s second birthday release!

Announcing the General Availability of new enhancements for Citrix Secure Private Access on-premises

Unveiling the power of Citrix Enterprise Browser’s integration with Citrix Analytics Service for Security

Citrix Device Posture service is now available for IGEL OS!

The Citrix Master Class series is back!

Announcing the Incoming 2024 Citrix Technology Professional (CTP) Class

What’s new with Citrix: Join our April webinar for licensing and LTSR updates

Connect your Mac desktops with HDX & DaaS! Citrix VDA for macOS is Public Tech Preview!

Feature matrix comparison among Linux VDA LTSR releases

What’s new with HDX in the 2402 LTSR

Now Available: Citrix Virtual Apps and Desktops 2402 Long Term Service Release

Take your Citrix journey to the next level with the Citrix Administrator Academy

Citrix Public Sector April 2024 Update!

Unlocking New Possibilities with Intel GPUs in Citrix Environments

Citrix Autoscale: Unlock better user experiences, maximize resource utilization, and achieve better cost management

Topics

Products

The top 3 considerations when securing your microservices architecture

1) Tightening Down Access Control

2) Ramping Up Visibility

3) Operationalizing Security Testing

Share

Tagged under:

You might be interested in

Stay Informed. Subscribe Today.

Stay Informed.
Subscribe Today.