“Over the past few years enterprises and industry leaders have been steadily adopting microservices to drive their business forward. At this point, companies like Amazon, and Google, to name a few, must agree that the microservices style of architecture is much more than a passing trend.
Along with the many benefits of updating monolith systems to microservices architecture, there are also new security challenges that organizations need to address. It’s important to remember that microservices require DevOps, development, and security teams to adopt new security patterns and practices to ensure microservices security.
Microservices — or microservice architecture, are an architectural style that divides the traditional monolithic model into independent, distributed services that can be scaled and deployed separately.
Martin Fowler and James Lewis describe microservices as “an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms, often an HTTP resource API.” They explain that microservices “are built around business capabilities and independently deployable by fully automated deployment machinery. There is a bare minimum of centralized management of these services, which may be written in different programming languages and use different data storage technologies.”
Securing Microservices Architecture
Fowler and James provide a list of common characteristics of microservices, including: smart endpoints and dumb pipes, decentralized governance and data management, and infrastructure automation. This new type of highly distributed and dynamic system presents teams with a new set of potential security risks that need to be addressed, and require them to adopt a new security approach. As with many arising technologies, security needs to be baked into architecture patterns and design and integrated into the entire development lifecycle, so that applications and data remain protected.
Think Strategy: How To Secure Microservices
As microservices architecture continues to evolve at a rapid pace, along with the application security ecosystem, it’s important that organizations adopt a few interconnected key approaches that will help them keep their microservices security patterns up to date while remaining agile.
#1 Defense in Depth
One strategy that’s important to adopt is defense in depth. Gone are the days depending on a single firewall to protect your monolith system. Defense in depth is a security strategy that calls for placing multiple levels of security controls throughout an organization’s software systems. In the context of microservices, the services with the most sensitive data are the ones that require multiple, and varied, layers of protection.
#2 DevSecOps
Second but just as critical is the DevSecOps approach. Like all components in the DevOps pipeline, microservices security requires DevSecOps tools and practices. These include shifting security left by integrating application security testing tools into the entire DevSecOps pipeline, from design all the way up to production.
#3 Isolation
Gavin Kenny of IBM stresses the importance of isolation as a core principle of microservices: “Each service must be an autonomous piece of the overall application puzzle. A microservice needs to be able to be deployed, maintained, modified, scaled and retired without affecting any of the other microservices around it.” He adds that this extends to the support functions beneath the architecture, like the database level, and that isolation is also important in failure mode…”
