A microservice architecture brings new challenges to API Security and careful design needs to be applied at operations and development level to ensure corporate data is properly protected from unwanted access. In this session we explain what API security encompasses, why API security needs to be considered as early as possible in the lifecycle of the microservices, how known standards such as OAuth and OpenID Connect can be leveraged to authenticate and authorize access to microservices and give practical examples and recommendations for the design and deployment of microservice architectures.

1. 6/20/191
API Security in a micro-services world

2. 6/20/19
I. Micro-services concepts

3. 6/20/19
I.1. Micro-services concepts: what is it?
Microservices-based application system:
Ú Multiple components (microservices) that communicate with each other using
RPC (synchronous ) or messaging system (asynchronous).
Ú Each microservice implements one distinct business process or functionality.
Ú Each microservice is a mini-application
– implements its own business logic
– various adapters for carrying out functions such as database access and messaging
Ú Most microservices expose a RESTful API
Ú Often cloud native (Kubernetes like infrastructures) and deployed in the cloud
Ú DevOps processes -> SECDevOps

4. 6/20/19
I.2. Micro-services concepts: design goals
Each micro-service:
Ú Is developed, secured, deployed by a single SecDevOps team.
Ú Is operated (managed, replicated, scaled, upgraded, …) independently of other
microservices.
Ú Exposes a single function.
Ú Are as stateless as possible.
Which provides:
Ú Autonomy
Ú No coupling
Ú Composability
Ú Alignment with business processes

5. 6/20/19
I.3. Micro-services concepts: architecture
Two main architectural frameworks:
Ú API Gateway based
Ú Service mesh based (Istio like infrastructures)
– Data plane with side-car proxies
– Control plane (monitoring, key service, routing, service registration etc)
We advise to use both!
Ú An API Gateway to act as the Ingress controller
– Using opaque access tokens for external consumption
– Exchanging opaque tokens against JWTs for internal services consumption
Ú Micro API Firewalls as last mile security PEPs -> Defense in-depth is key!!!

6. 6/20/19
I.4. Advised architecture
A
P
I
G
a
t
e
w
a
y
µAPIFW
µAPIFW

7. 6/20/19
II. Security Challenges

8. 6/20/19
II.1 Micro-services : Security challenges
“I have SSL/TLS and OAuth in place, isn't that enough ??! “
Too many customers…

9. II.2. Micro-services Security: Security challenges
Authentication
(Validation and OIDC
Flows)
Integrity
Data has not been
tampered with
Audit
(Forensics)
Confidentiality
Data can’t be seen in
flight
Availability
(Rate Limiting)
Authorization
(Access Control
and OAuth
flows)
Non Repudiation
(Legal Compliance)
Traffic Validation
(Attacks Protection)
6/20/19

10. II.3. Real-life example: FAPI
Financial APIS Security Profile Auth Grant Types
OpenID Connect Flows
TLS Settings
Message Confidentiality
Non-Repudiation
Message Integrity
6/20/19

11. 6/20/19
III. Organisational Challenges

12. 6/20/19
III.1. From DevOps to SecDevOps
Monitor
Develop
Monitor Security
Vulnerabilities and
runtime behaviour
Scan
Continuous API hardening
including API fuzzing
Deploy
Deploy to containerised
PEP
Protect
Configure and apply
security policies from
assessed risk
Audit
Assess API description
and evaluate risk level
Develop and document API
with OpenAPI/Swagger

13. 6/20/19
IV. Food for thoughts

14. 6/20/19
IV.1. Good papers on micro-services security
Ú NIST Draft on Security Strategies to secure Microservices-based Application
Systems (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204-
draft.pdf).
Ú CA Securing Microservices APIs document
(https://www.ca.com/content/dam/ca/us/files/ebook/securing-microservice-
apis-sustainable-and-scalable-access-control.pdf)