Suche senden
Hochladen
Identiverse - Microservices Security
•
3 gefällt mir
•
1,722 views
Bertrand Carlier
Folgen
Slides from my sesion at Identiverse 2018 about Microservices Security
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 28
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
CIS 2017 - So you want to use standards to secure your APIs?
CIS 2017 - So you want to use standards to secure your APIs?
Bertrand Carlier
Security in microservices architectures
Security in microservices architectures
inovia
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
API Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
Empfohlen
CIS 2017 - So you want to use standards to secure your APIs?
CIS 2017 - So you want to use standards to secure your APIs?
Bertrand Carlier
Security in microservices architectures
Security in microservices architectures
inovia
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
Apigee | Google Cloud
Protecting APIs from Mobile Threats- Beyond Oauth
Protecting APIs from Mobile Threats- Beyond Oauth
Apigee | Google Cloud
API Security In Cloud Native Era
API Security In Cloud Native Era
WSO2
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Mike Schwartz
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
Mike Schwartz
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
IsraelGuillen12
Managing Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Sylvain Maret
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
ForgeRock
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
API Security and Management Best Practices
API Security and Management Best Practices
CA API Management
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Ping Identity
Gravitee.io
Gravitee.io
Knoldus Inc.
Data-driven API Security
Data-driven API Security
Apigee | Google Cloud
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
API Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
CA API Management
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
ForgeRock
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
Intuit Developer
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
Ping Identity
Weitere ähnliche Inhalte
Was ist angesagt?
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
IsraelGuillen12
Managing Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
CA Technologies
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Adar Weidman
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Sylvain Maret
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
ForgeRock
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Ping Identity
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
ForgeRock
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Ping Identity
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
API Security and Management Best Practices
API Security and Management Best Practices
CA API Management
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Ping Identity
Gravitee.io
Gravitee.io
Knoldus Inc.
Data-driven API Security
Data-driven API Security
Apigee | Google Cloud
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
WSO2
API Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
CA API Management
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
ForgeRock
Was ist angesagt?
(20)
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
Managing Identities in the World of APIs
Managing Identities in the World of APIs
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Leveraging New Features in CA Single-Sign on to Enable Web Services, Social S...
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Checkmarx meetup API Security - API Security in depth - Inon Shkedy
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
API Security and Management Best Practices
API Security and Management Best Practices
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
Gravitee.io
Gravitee.io
Data-driven API Security
Data-driven API Security
The WSO2 Identity Server - An answer to your common XACML dilemmas
The WSO2 Identity Server - An answer to your common XACML dilemmas
API Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
Ähnlich wie Identiverse - Microservices Security
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
Intuit Developer
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
Ping Identity
The Swisscom APi journey
The Swisscom APi journey
Kay Lummitsch - Digital Journeyman
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
Jack Carnes
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
How to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
Nordic APIs
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
Donald Malloy
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
CA Technologies
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
Michael Leppitsch
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native Era
Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
Christian Glahn
APIConnect Security Best Practice
APIConnect Security Best Practice
Shiu-Fun Poon
The Case For Next Generation IAM
The Case For Next Generation IAM
Patrick Harding
TheWriteId > components
TheWriteId > components
Tim De Coninck
Application Security in ASP.NET Core
Application Security in ASP.NET Core
NETUserGroupBern
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
Apigee | Google Cloud
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
CA Technologies
Ähnlich wie Identiverse - Microservices Security
(20)
OAuth for QuickBooks Online REST Services
OAuth for QuickBooks Online REST Services
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
The Swisscom APi journey
The Swisscom APi journey
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
#1922 rest-push2 ap-im-v6
#1922 rest-push2 ap-im-v6
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
How to Build an Effective API Security Strategy
How to Build an Effective API Security Strategy
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
How CA Technologies Enables Its Own Employees and Secures Access to Applicati...
2016-Mar-03 Leppitsch in Auckland meetup
2016-Mar-03 Leppitsch in Auckland meetup
Building APIs in a Cloud Native Era
Building APIs in a Cloud Native Era
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
apidays LIVE Paris - Building APIs in a Cloud Native era by Nuwan Dias
EduID Mobile App - Use-Cases, Concepts and Implementation
EduID Mobile App - Use-Cases, Concepts and Implementation
APIConnect Security Best Practice
APIConnect Security Best Practice
The Case For Next Generation IAM
The Case For Next Generation IAM
TheWriteId > components
TheWriteId > components
Application Security in ASP.NET Core
Application Security in ASP.NET Core
London Adapt or Die: Securing your APIs the Right Way!
London Adapt or Die: Securing your APIs the Right Way!
Creating an Omnichannel Experience for Your Customers
Creating an Omnichannel Experience for Your Customers
Mehr von Bertrand Carlier
2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project
Bertrand Carlier
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
Bertrand Carlier
OAuth2 stands overview
OAuth2 stands overview
Bertrand Carlier
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des Objets
Bertrand Carlier
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIs
Bertrand Carlier
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Bertrand Carlier
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestone
Bertrand Carlier
Wavestone forgerock banking demo
Wavestone forgerock banking demo
Bertrand Carlier
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2
Bertrand Carlier
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoT
Bertrand Carlier
Mehr von Bertrand Carlier
(10)
2022 Identiverse : How (not) to fail your IAM project
2022 Identiverse : How (not) to fail your IAM project
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
OAuth2 stands overview
OAuth2 stands overview
Ping City Tour Paris - Identité des Objets
Ping City Tour Paris - Identité des Objets
GS Days 2017 - La sécurité des APIs
GS Days 2017 - La sécurité des APIs
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
Wavestone - Séminaire à Paris sur la psd 2 et l'éconmie de l'api
DSP2 standards, sécurité, quels impacts wavestone
DSP2 standards, sécurité, quels impacts wavestone
Wavestone forgerock banking demo
Wavestone forgerock banking demo
Présentation budget insight impacts de la dsp2
Présentation budget insight impacts de la dsp2
Paris Identity Tech Talk IoT
Paris Identity Tech Talk IoT
Kürzlich hochgeladen
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
V3cube
Kürzlich hochgeladen
(20)
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
Identiverse - Microservices Security
1.
Microservices security. How
(not) to? Bertrand CARLIER bertrand.carlier@wavestone.com @bertrandcarlier
2.
© WAVESTONE 2 2800+
consultants On 4 continents & 20+ fields of expertise Who am I? Cybersecurity practice 400+ consultants Paris, New York, London, Hong Kong Adressing all topics within cybersecurity Digital Identity 120+ experts in identity and access management Maturity assessments, roadmap definition, projects design & build Myself Fell into identity circa 2004, handcrafted SAML tokens circa 2007 Standards enthusiast and zelot ever since Remote attendee of Cloud ID Summit for years, first on-site CIS/Identiverse last year @bertrandcarlier
3.
© WAVESTONE 3 Backend
APIs What I mean when I say « microservices » An application calling an API endpoint… …calling another API endpoint …calling another API endpoint …calling other API endpoints … This generally also involves CI/CD tools and various degrees of automation Client APIAPI API API API API API API API Front APIs
4.
© WAVESTONE 4 What
I mean when I say « microservices » An application calling an API endpoint… …calling another API endpoint …calling another API endpoint …calling other API endpoints … This generally also involves CI/CD tools and various degrees of automation Client APIAPI API API API API API API API Backend APIsFront APIs
5.
© WAVESTONE 5 How
to secure microservices 101 Client APIAPI API API API API API API APIAPI Gateway OAuth2 Network isolation Authorization server
6.
© WAVESTONE 6 If
only it was that simple…
7.
© WAVESTONE 7 What
happens inside? Free all-you-can-reach buffet! Client APIAPI API API API API API API APIAPI Gateway Authorization server Should the front Access Token be propagated? What could the API Gateway swap the front token with? Which APIs can reach which APIs? ? ? ? ?? ? ? ? ? ? ?
8.
© WAVESTONE 8 Option
#1. Cleartext headers Client APIAPI API API API API API API APIAPI Gateway Authorization server Not really secure of course / Unless there is a strict network isolation in place, this allows for a lot of attack scenarios › Impersonation › Augmented authorizations › etc. A naïve approach / “Token offloading” at the gate / Developers don’t need to “do” security or crypto stuff {} {} {} {} {} {} {} {} {} {} {} {userid, client_id, access rights, etc.}
9.
© WAVESTONE 9 Option
#2. Token transmission Client APIAPI API API API API API API APIAPI Gateway Authorization server But still not the safest / Confused deputy attack: One compromised API allows compromising any network-reachable API (only with initial user identity) A slightly better solution / Allows for user identity & rights integrity / Developers might need to do crypto stuff › One could provide them with helper libraries › API Gateway round trip could be required
10.
© WAVESTONE 10 Option
#3. OAuth scopes Client API Gateway Authorization server APIAPI API API API API ? ? ? Still not perfect / Requires to know beforehand all required scopes in the chain / Often requires to define separated (business) API domains / In many cases this solution can be secure enough Introduce notion of service to service controls / API gateway and/or client can generate/manage several tokens with different scopes / Compromission spreading is limited API API API
11.
© WAVESTONE 11 Option
#4. Token Exchange Client API Gateway Authorization server APIAPI API API API API Of course it is not perfect / Introduces network latency to get each token / Can be a burden to developers (unless productized in a library) Fined-grained service-to-service control / Access tokens contain the user identity and the list of APIs went across / Authorization server and/or API can enforce any fine-grained policy they wish API API API
12.
© WAVESTONE 12 And
many other options! Service-to-service authentication / authorization / Mutual TLS / Client credential token / Self signed JWT / Nested self-signed JWT (see Will Tran’s work at https://github.com/william-tran/microxchg2017) Token validation / API gateway (ie. Reverse Proxy) / Embedded software library (ie. Agent) / Micro-gateways Main difficulties remain / Key management to authenticate services / sign tokens / Define/maintain/centralize fine-grained access policies / By-value JWT / By-reference token
13.
© WAVESTONE 13 Case
studies
14.
© WAVESTONE 14 Cheese
retail company
15.
© WAVESTONE 15 Cheese
retail company • Get or update inventory across branches • Get special deals in real time APIs for in-store sales people on mobile device • Real-time availability • Click to collect • Previous commands and receipts APIs for consumers • Mobile HR APIs • ERP APIs APIs for Human Resources and Finance Cheese supermarkets all over France and now a few other countries. We now have that goat cheese you loved back in stock! This Brie is available in a branch less than 10km from here! Our margin on Époisses is outstanding! This branche’s sales on Comté are really low That smelly Camembert is now 30% off for a limited time! That smelly Camembert is now 30% off for a limited time! This individual will get a 20% raise this year
16.
© WAVESTONE 16 Inventory HR ERP Cheese
retail company APIs Fence Network isolation Sub domain isolation / An API Gateway › Check the token validity › Serialize it / A “fence” per functional domain › Check user access rights › PaaS based network isolation › Domain-to-domain requests must go back through fences / Micro-services › Check client access rights An architecture based on three levels
17.
© WAVESTONE 17 Big
Bakery Company Pas la meilleur image !
18.
© WAVESTONE 18 Big
Bakery Company • New varieties of bread and croissant must hit the market before competitors • Agility to develop new products and means to trade them A classic story of digital transformation • Corporate clients do not want to access apps, they also want APIs • Internal dev teams also want to leverage data and operations through APIs APIs first • Spoiled pains au chocolat or sandwiches can cause severe health troubles • Recipes are very valuable assets that mustn’t leak Strong regulation A well established trading company in the bread and viennoiserie business I’ll just add a pinch of ginger… Let’s patch this croissant with almonds! /GET this sandwich before it expires or /DELETE it! Baguettes as a ServiceI can compose 1815 varieties of donuts now!
19.
© WAVESTONE 19 Big
Bakery Company Front APIs, using both user and application right Network isolation A very secure & robust architecture in theory / Token exchange from front to back / Client rights as scopes / User rights as custom claim But actually not fully leveraged / Only the front APIs check the user rights / Backend APIs only check the application rights and (implicitly) trust front APIs to check user rights Check app right Check user right Back-end APIs using only application right Reachable with token 1 Reachable with token 2 Reachable with token 3
20.
© WAVESTONE 20 Wine
Company
21.
© WAVESTONE 21 Wine
Company • Pay-as-you-drink, next bill estimation based on current consumption Wine as a Service • Suggestion based on previous tastings • AI powered advisor Wine advisor • Data sharing with wine amateurs social networks Third party services integration A utility company for wine. Millions of customers, With your Tournedos Rossini, I suggest you have a Margaux ‘62 I’d say you may very well like a Pommard To meet your target budget, you must have 2 more glasses € Congrats! You just earned the Burgundy Expert badge!
22.
© WAVESTONE 22 Utilities
– Wine as a Service Network isolation An approach based on point to point controls… / Using scope (and a strong scope governance) / Using both users and applications right, allows to ensure traceability Soon-to-be-in-production: a micro API Gateway / Deployed in front of each APIs in containers / Based on FOSS module (Apache & mod_auth_openidc) / A one-fits-all solution : Java, Ruby, Node.js, etc. Classical services Micro API Gateway Container
23.
© WAVESTONE 23 3
different environments, 3 different solutions Development agility, feature teams independence Coarse-grained scopes, fine-grained user rights Business domain segregation Very risk averse environment, required traceability Fine-grained user and application rights Token exchange Heterogeneous technologies for API development, unsegmented network Moving to micro-gateways, leveraging CI/CD tools Micro gateways
24.
© WAVESTONE 24 A
few rules to balance API security design Different contexts will result in different architectures / Security requirements / Build & deployment automation capabilities / Gateway vs. agents vs. micro-gateways 1 Token transmission & scope management will fit most security requirements / Secure enough in most cases / Relatively easy to implement 2 Consider other options to cover additional security constraints / Service-to-service authentication / Token exchange or nested self-issued JWTs3
25.
© WAVESTONE 25 There
are many available blocks to achieve micro-services security. The main difficulty is to build it without mistakes
26.
© WAVESTONE 26 Dou
Ohote Raillte!
27.
wavestone.com @wavestone_ Bertrand CARLIER Senior Manager M
+33 (0)6 18 64 42 52 bertrand.carlier@wavestone.com riskinsight-wavestone.com @Risk_Insight securityinsider-solucom.fr @SecuInsider
28.
PARIS LONDON NEW YORK HONG KONG SINGAPORE
* DUBAI * SAO PAULO * LUXEMBOURG MADRID * MILANO * BRUSSELS GENEVA CASABLANCA ISTANBUL * LYON MARSEILLE NANTES * Partnerships
Jetzt herunterladen