SlideShare a Scribd company logo

Microservices Security Landscape

Download as PPTX, PDF
Prabath Siriwardena
Prabath Siriwardena

Microservices Security Landscape

Education
1 of 35
MICROSERVICES SECURITY LANDSCAPE Prabath Siriwardena Senior Director - Security Architecture prabath@wso2.com | prabath@apache.org
ABOUT ME 2
MICROSERVICES
SOA TO MICROSERVICES ▪ Service Oriented Architecture (SOA) is a design approach where multiple services collaborate to provide some set of capabilities. ▪ A service is an isolated process — and the inter-service communication happens over the network. ▪ Microservices is the SOA done right! ▪ Provides focused, scoped and modular approach for application design. 4
MONOLITHIC 5
MICROSERVICES 6
CHALLENGES ▪ Broader attack surface ▪ Performance ▪ Deployment complexities ▪ Observability ▪ Immutable servers ▪ Sharing user context ▪ Polyglot architecture 7
EDGE SECURITY
9 API GATEWAY PATTERN
10 API GATEWAY PATTERN
OAUTH 2.0 11
12 SELF-CONTAINED ACCESS TOKENS
13
SERVICE TO SERVICE SECURITY
TLS MUTUAL AUTHENTICATION ▪ Each microservice will have its own certificate to prove its identity ▪ How do we provision certificates to each microservice? ▪ How do we deal with certificate revocations? ▪ How do we deal with trust bootstrap? ▪ How do we deal with key rotation? 15
SPIFFE / SPIRE ▪ Secure Production Identity Framework for Everyone. ▪ SPIFFE tries to solve the trust bootstrap problem in a platform agnostic manner. ▪ SPIFFE provides an identity to each workload in a microservices deployment, which is known as the SPIFFE ID. E.g.: spiffe://acme.com/billing/payments 16
SPIFFE / SPIRE 17
JWT (JSON WEB TOKEN) ▪ Defines a container to transport data between interested parties. ▪ There are multiple applications of JWT - in OpenID Connect the id_token is represented as a JWT. ▪ Propagate one’s identity between interested parties. ▪ Propagate user entitlements between interested parties. ▪ Transfer data securely between interested parties over a unsecured channel. ▪ Assert one’s identity, given that the recipient of the JWT trusts the asserting party. 18
JWT (JSON WEB TOKEN) eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc4YjRjZjIzNjU2ZGMzOTUzNjRmMWI2YzAyOTA3NjkxZjJjZGZmZTEifQ.ey Jpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTAyMjUxMTU4OTIwMTQ3NzMyIiwiYXpwIjoiODI1 MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21ucDRzcXY3ZXJodTEyMTFzLmFwcHMuZ29vZ2xldXNlcmNvbn RlbnQuY29tIiwiZW1haWwiOiJwcmFiYXRoQHdzbzIuY29tIiwiYXRfaGFzaCI6InpmODZ2TnVsc0xCOGdGYXFSd 2R6WWciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXVkIjoiODI1MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21 ucDRzcXY3ZXJodTEyMTFzLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaGQiOiJ3c28yLmNvbSIsImlhdCI6 MTQwMTkwODI3MSwiZXhwIjoxNDAxOTEyMTcxfQ.TVKv-pdyvk2gW8sGsCbsnkqsrS0T- H00xnY6ETkIfgIxfotvFn5IwKm3xyBMpy0FFe0Rb5Ht8AEJV6PdWyxz8rMgX2HROWqSo_RfEfUpBb4iOsq4 W28KftW5H0IA44VmNZ6zU4YTqPSt4TPhyFC9fP2D_Hg7JQozpQRUfbWTJI 19
JWT (JSON WEB TOKEN) 20
21 SELF ISSUED ACCESS TOKENS
22 OAUTH 2.0 TOKEN EXCHANGE
ACCESS CONTROL
POLICY EVALUATION (CENTRAL PDP) 24
POLICY EVALUATION (EMBEDDED PDP) 25
OPEN POLICY AGENT (OPA) ▪ A lightweight general-purpose policy engine that can be co-located with your service. ▪ Can integrate OPA as a sidecar, host-level daemon, or library. ▪ Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka ▪ Netflix is an early adopter of OPA 26
DEPLOYMENT MODELS
DOCKER ▪ Docker (container technology) allows to run multiple services on the same host machine, while not only exposing a different environment to each of them, but also isolating them from each other, similarly to VMs, but with much less overhead. ▪ A process running in a container runs inside the host’s operating system, like all the other processes (unlike VMs, where processes run in separate operating systems). But the process in the container is still isolated from other processes. 28
KUBERNETES ▪ Kubernetes abstracts away the hardware infrastructure and exposes your whole datacenter as a single enormous computational resource. ▪ Allows to easily deploy and manage containerized applications on top of it. ▪ Uses Linux container technologies to provide isolation of running applications. 29
KUBERNETES (PODs) 30
SIDECAR 31
ISTIO 32
SECURITY SIDECAR 33
SERVICE MESH 34 ▪ A decentralized application networking infrastructure between the services that provides, resiliency, security, observability, and routing control. ▪ Comprised of a control plane and a data plane.
THANK YOU wso2.com

Recommended

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Sidechains introduction
Sidechains introductionSidechains introduction
Sidechains introductionLin Lin (Wendy)
 
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)Brod Tech
 
Developers Guide To Blockchain, Bitcoin and Cryptocurrencies
Developers Guide To Blockchain, Bitcoin and CryptocurrenciesDevelopers Guide To Blockchain, Bitcoin and Cryptocurrencies
Developers Guide To Blockchain, Bitcoin and CryptocurrenciesSam Dias
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Scott Brady
 
FREE Crypto Guide to EARN passive income online, DONT wait Start Now!
FREE Crypto Guide to EARN passive income online, DONT wait Start Now!FREE Crypto Guide to EARN passive income online, DONT wait Start Now!
FREE Crypto Guide to EARN passive income online, DONT wait Start Now!Matthew
 
Euklid (1)
Euklid (1)Euklid (1)
Euklid (1)Antonio Simeone
 
Token based-oauth2
Token based-oauth2Token based-oauth2
Token based-oauth2andreyradzkov
 

Recommended

Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security LandscapePrabath Siriwardena
 
Sidechains introduction
Sidechains introductionSidechains introduction
Sidechains introductionLin Lin (Wendy)
 
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)
BrodTech 2021: Blockchain | Mak Muftić (ChainSafe)Brod Tech
 
Developers Guide To Blockchain, Bitcoin and Cryptocurrencies
Developers Guide To Blockchain, Bitcoin and CryptocurrenciesDevelopers Guide To Blockchain, Bitcoin and Cryptocurrencies
Developers Guide To Blockchain, Bitcoin and CryptocurrenciesSam Dias
 
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)
Secure Authorization for your Printer: The OAuth Device Flow (DevSum 2018)Scott Brady
 
FREE Crypto Guide to EARN passive income online, DONT wait Start Now!
FREE Crypto Guide to EARN passive income online, DONT wait Start Now!FREE Crypto Guide to EARN passive income online, DONT wait Start Now!
FREE Crypto Guide to EARN passive income online, DONT wait Start Now!Matthew
 
Euklid (1)
Euklid (1)Euklid (1)
Euklid (1)Antonio Simeone
 
Token based-oauth2
Token based-oauth2Token based-oauth2
Token based-oauth2andreyradzkov
 
Protecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesProtecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesRodrigo Cândido da Silva
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureWSO2
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use itSergey Podgornyy
 
Jwt Security
Jwt SecurityJwt Security
Jwt SecuritySeid Yassin
 
MuleSoft JWT Demystified
MuleSoft JWT DemystifiedMuleSoft JWT Demystified
MuleSoft JWT DemystifiedPatryk Bandurski
 
AtlasCamp 2014: Building a Connect Add-on With Your Own Stack
AtlasCamp 2014: Building a Connect Add-on With Your Own StackAtlasCamp 2014: Building a Connect Add-on With Your Own Stack
AtlasCamp 2014: Building a Connect Add-on With Your Own StackAtlassian
 
Malleability and SegWit
Malleability and SegWitMalleability and SegWit
Malleability and SegWitPandora Boxchain
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
Blockchain cryptocurrencies and banking
Blockchain cryptocurrencies and bankingBlockchain cryptocurrencies and banking
Blockchain cryptocurrencies and bankingClémentine Grossetête
 
2018 Lunch & Learn Blockchain Overview
2018 Lunch & Learn Blockchain Overview2018 Lunch & Learn Blockchain Overview
2018 Lunch & Learn Blockchain OverviewPaperchain
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
SECWIT.pptx
SECWIT.pptxSECWIT.pptx
SECWIT.pptxRAJRM2
 
IRJET- Blockchain Technology a Literature Survey
IRJET- Blockchain Technology a Literature SurveyIRJET- Blockchain Technology a Literature Survey
IRJET- Blockchain Technology a Literature SurveyIRJET Journal
 
Public blockchains and municipalities en v1.0_hc
Public blockchains and municipalities en v1.0_hcPublic blockchains and municipalities en v1.0_hc
Public blockchains and municipalities en v1.0_hcHenk van Cann
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking MethodsDavid Barroso
 
Blockchain on Azure
Blockchain on AzureBlockchain on Azure
Blockchain on AzureNuri Cankaya
 
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Codemotion
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
 
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...Scott Brady
 
IRJET- Blockchain Technology
IRJET- Blockchain TechnologyIRJET- Blockchain Technology
IRJET- Blockchain TechnologyIRJET Journal
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 

More Related Content

Similar to Microservices Security Landscape

Protecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesProtecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesRodrigo Cândido da Silva
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureWSO2
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use itSergey Podgornyy
 
AtlasCamp 2014: Building a Connect Add-on With Your Own Stack
AtlasCamp 2014: Building a Connect Add-on With Your Own StackAtlasCamp 2014: Building a Connect Add-on With Your Own Stack
AtlasCamp 2014: Building a Connect Add-on With Your Own StackAtlassian
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakNikhil Kathole
 
2018 Lunch & Learn Blockchain Overview
2018 Lunch & Learn Blockchain Overview2018 Lunch & Learn Blockchain Overview
2018 Lunch & Learn Blockchain OverviewPaperchain
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
SECWIT.pptx
SECWIT.pptxSECWIT.pptx
SECWIT.pptxRAJRM2
 
IRJET- Blockchain Technology a Literature Survey
IRJET- Blockchain Technology a Literature SurveyIRJET- Blockchain Technology a Literature Survey
IRJET- Blockchain Technology a Literature SurveyIRJET Journal
 
Public blockchains and municipalities en v1.0_hc
Public blockchains and municipalities en v1.0_hcPublic blockchains and municipalities en v1.0_hc
Public blockchains and municipalities en v1.0_hcHenk van Cann
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking MethodsDavid Barroso
 
Blockchain on Azure
Blockchain on AzureBlockchain on Azure
Blockchain on AzureNuri Cankaya
 
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Codemotion
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017Matt Raible
 
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...Scott Brady
 
IRJET- Blockchain Technology
IRJET- Blockchain TechnologyIRJET- Blockchain Technology
IRJET- Blockchain TechnologyIRJET Journal
 

Similar to Microservices Security Landscape (20)

Protecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and StrategiesProtecting Java Microservices: Best Practices and Strategies
Protecting Java Microservices: Best Practices and Strategies
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice ArchitectureTalk Microservices to Me: The Role of IAM in Microservice Architecture
Talk Microservices to Me: The Role of IAM in Microservice Architecture
 
OAuth and why you should use it
OAuth and why you should use itOAuth and why you should use it
OAuth and why you should use it
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
MuleSoft JWT Demystified
MuleSoft JWT DemystifiedMuleSoft JWT Demystified
MuleSoft JWT Demystified
 
AtlasCamp 2014: Building a Connect Add-on With Your Own Stack
AtlasCamp 2014: Building a Connect Add-on With Your Own StackAtlasCamp 2014: Building a Connect Add-on With Your Own Stack
AtlasCamp 2014: Building a Connect Add-on With Your Own Stack
 
Malleability and SegWit
Malleability and SegWitMalleability and SegWit
Malleability and SegWit
 
Foreman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with KeycloakForeman Single Sign-On Made Easy with Keycloak
Foreman Single Sign-On Made Easy with Keycloak
 
Blockchain cryptocurrencies and banking
Blockchain cryptocurrencies and bankingBlockchain cryptocurrencies and banking
Blockchain cryptocurrencies and banking
 
2018 Lunch & Learn Blockchain Overview
2018 Lunch & Learn Blockchain Overview2018 Lunch & Learn Blockchain Overview
2018 Lunch & Learn Blockchain Overview
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
SECWIT.pptx
SECWIT.pptxSECWIT.pptx
SECWIT.pptx
 
IRJET- Blockchain Technology a Literature Survey
IRJET- Blockchain Technology a Literature SurveyIRJET- Blockchain Technology a Literature Survey
IRJET- Blockchain Technology a Literature Survey
 
Public blockchains and municipalities en v1.0_hc
Public blockchains and municipalities en v1.0_hcPublic blockchains and municipalities en v1.0_hc
Public blockchains and municipalities en v1.0_hc
 
Common Browser Hijacking Methods
Common Browser Hijacking MethodsCommon Browser Hijacking Methods
Common Browser Hijacking Methods
 
Blockchain on Azure
Blockchain on AzureBlockchain on Azure
Blockchain on Azure
 
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
Simone Bronzini - Weaknesses of blockchain applications - Codemotion Milan 2018
 
What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017What the Heck is OAuth and OpenID Connect - RWX 2017
What the Heck is OAuth and OpenID Connect - RWX 2017
 
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
Modern Authentication for ASP.NET Core with IdentityServer 4 (Progressive .NE...
 
IRJET- Blockchain Technology
IRJET- Blockchain TechnologyIRJET- Blockchain Technology
IRJET- Blockchain Technology
 

More from Prabath Siriwardena

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementPrabath Siriwardena
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersPrabath Siriwardena
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersPrabath Siriwardena
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & GuidelinesPrabath Siriwardena
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity ManagementPrabath Siriwardena
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Prabath Siriwardena
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusPrabath Siriwardena
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesPrabath Siriwardena
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet IdentityPrabath Siriwardena
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudPrabath Siriwardena
 

More from Prabath Siriwardena (20)

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Identity is Eating the World!
Identity is Eating the World!Identity is Eating the World!
Identity is Eating the World!
 
OAuth 2.0 Threat Landscape
OAuth 2.0 Threat LandscapeOAuth 2.0 Threat Landscape
OAuth 2.0 Threat Landscape
 
GDPR for Identity Architects
GDPR for Identity ArchitectsGDPR for Identity Architects
GDPR for Identity Architects
 
Blockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access ManagementBlockchain-based Solutions for Identity & Access Management
Blockchain-based Solutions for Identity & Access Management
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
 
Open Standards in Identity Management
Open Standards in Identity ManagementOpen Standards in Identity Management
Open Standards in Identity Management
 
Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0Securing Single-Page Applications with OAuth 2.0
Securing Single-Page Applications with OAuth 2.0
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
Connected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity BusConnected Identity : The Role of the Identity Bus
Connected Identity : The Role of the Identity Bus
 
Connected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & ChallengesConnected Identity : Benefits, Risks & Challenges
Connected Identity : Benefits, Risks & Challenges
 
The Evolution of Internet Identity
The Evolution of Internet IdentityThe Evolution of Internet Identity
The Evolution of Internet Identity
 
Next-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and CloudNext-Gen Apps with IoT and Cloud
Next-Gen Apps with IoT and Cloud
 
Securing Insecure
Securing InsecureSecuring Insecure
Securing Insecure
 
Evolution of Internet Identity
Evolution of Internet IdentityEvolution of Internet Identity
Evolution of Internet Identity
 

Recently uploaded

Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 

Recently uploaded (20)

Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 

Microservices Security Landscape

  • 1. MICROSERVICES SECURITY LANDSCAPE Prabath Siriwardena Senior Director - Security Architecture prabath@wso2.com | prabath@apache.org
  • 4. SOA TO MICROSERVICES ▪ Service Oriented Architecture (SOA) is a design approach where multiple services collaborate to provide some set of capabilities. ▪ A service is an isolated process — and the inter-service communication happens over the network. ▪ Microservices is the SOA done right! ▪ Provides focused, scoped and modular approach for application design. 4
  • 7. CHALLENGES ▪ Broader attack surface ▪ Performance ▪ Deployment complexities ▪ Observability ▪ Immutable servers ▪ Sharing user context ▪ Polyglot architecture 7
  • 13. 13
  • 14. SERVICE TO SERVICE SECURITY
  • 15. TLS MUTUAL AUTHENTICATION ▪ Each microservice will have its own certificate to prove its identity ▪ How do we provision certificates to each microservice? ▪ How do we deal with certificate revocations? ▪ How do we deal with trust bootstrap? ▪ How do we deal with key rotation? 15
  • 16. SPIFFE / SPIRE ▪ Secure Production Identity Framework for Everyone. ▪ SPIFFE tries to solve the trust bootstrap problem in a platform agnostic manner. ▪ SPIFFE provides an identity to each workload in a microservices deployment, which is known as the SPIFFE ID. E.g.: spiffe://acme.com/billing/payments 16
  • 18. JWT (JSON WEB TOKEN) ▪ Defines a container to transport data between interested parties. ▪ There are multiple applications of JWT - in OpenID Connect the id_token is represented as a JWT. ▪ Propagate one’s identity between interested parties. ▪ Propagate user entitlements between interested parties. ▪ Transfer data securely between interested parties over a unsecured channel. ▪ Assert one’s identity, given that the recipient of the JWT trusts the asserting party. 18
  • 19. JWT (JSON WEB TOKEN) eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc4YjRjZjIzNjU2ZGMzOTUzNjRmMWI2YzAyOTA3NjkxZjJjZGZmZTEifQ.ey Jpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTAyMjUxMTU4OTIwMTQ3NzMyIiwiYXpwIjoiODI1 MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21ucDRzcXY3ZXJodTEyMTFzLmFwcHMuZ29vZ2xldXNlcmNvbn RlbnQuY29tIiwiZW1haWwiOiJwcmFiYXRoQHdzbzIuY29tIiwiYXRfaGFzaCI6InpmODZ2TnVsc0xCOGdGYXFSd 2R6WWciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXVkIjoiODI1MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21 ucDRzcXY3ZXJodTEyMTFzLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaGQiOiJ3c28yLmNvbSIsImlhdCI6 MTQwMTkwODI3MSwiZXhwIjoxNDAxOTEyMTcxfQ.TVKv-pdyvk2gW8sGsCbsnkqsrS0T- H00xnY6ETkIfgIxfotvFn5IwKm3xyBMpy0FFe0Rb5Ht8AEJV6PdWyxz8rMgX2HROWqSo_RfEfUpBb4iOsq4 W28KftW5H0IA44VmNZ6zU4YTqPSt4TPhyFC9fP2D_Hg7JQozpQRUfbWTJI 19
  • 20. JWT (JSON WEB TOKEN) 20
  • 26. OPEN POLICY AGENT (OPA) ▪ A lightweight general-purpose policy engine that can be co-located with your service. ▪ Can integrate OPA as a sidecar, host-level daemon, or library. ▪ Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka ▪ Netflix is an early adopter of OPA 26
  • 28. DOCKER ▪ Docker (container technology) allows to run multiple services on the same host machine, while not only exposing a different environment to each of them, but also isolating them from each other, similarly to VMs, but with much less overhead. ▪ A process running in a container runs inside the host’s operating system, like all the other processes (unlike VMs, where processes run in separate operating systems). But the process in the container is still isolated from other processes. 28
  • 29. KUBERNETES ▪ Kubernetes abstracts away the hardware infrastructure and exposes your whole datacenter as a single enormous computational resource. ▪ Allows to easily deploy and manage containerized applications on top of it. ▪ Uses Linux container technologies to provide isolation of running applications. 29
  • 34. SERVICE MESH 34 ▪ A decentralized application networking infrastructure between the services that provides, resiliency, security, observability, and routing control. ▪ Comprised of a control plane and a data plane.