![Page 2: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/2.jpg)
ABOUT ME
2
▪ https://github.com/prabath/me | Twitter: prabath
![Page 3: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/3.jpg)
Monolithic
![Page 4: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/4.jpg)
Microservices
![Page 5: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/5.jpg)
Challenges
● Broader attack surface● Performance● Deployment complexities● Observability● Sharing user context● Polyglot architecture
![Page 6: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/6.jpg)
Gateway Pattern at the Edge
![Page 7: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/7.jpg)
OAUTH 2.0
7
![Page 8: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/8.jpg)
AUTHORIZATION CODE GRANT TYPE
8
![Page 9: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/9.jpg)
Gateway Pattern at the Edge
![Page 10: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/10.jpg)
Service to Service SecurityTrust the Network
![Page 11: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/11.jpg)
Service to Service SecurityMutual TLS
![Page 12: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/12.jpg)
Service to Service SecurityMutual TLS + Shared JWT
![Page 13: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/13.jpg)
Service to Service SecurityMutual TLS + JWT (Token Exchange)
![Page 14: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/14.jpg)
Service to Service SecurityMutual TLS + JWT (Proxy)
![Page 15: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/15.jpg)
Service to Service SecurityData Plane
![Page 16: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/16.jpg)
Service to Service SecurityControl Plane
![Page 17: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/17.jpg)
Service to Service SecurityAuthorization: Embedded PDP / Call Home
![Page 18: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/18.jpg)
AuthorizationOpen Policy Agent (OPA)
● A lightweight general-purpose policy engine that can be co-located with your service
● Policies are written in Rego ● Can integrate OPA as a sidecar, host-level daemon, or library● Integrated with Spring, Service Mesh implementations (Istio, Linkerd), Kafka
https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa/
● Netflix is an early adopter of OPA
![Page 19: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/19.jpg)
Service Mesh
![Page 20: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/20.jpg)
Service MeshIstio
![Page 21: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/21.jpg)
Service MeshSPIFFE ~ Trust Bootstrap
![Page 22: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/22.jpg)
Zero Trust Network Principles
● The network is hostile, do not trust it!● Zero Trust is not about making a system trusted, but instead about
eliminating trust on the network● IP addresses and location are no longer practical to establish
sufficient trust for network access
![Page 23: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/23.jpg)
Zero Trust Network Practices● Keep security enforcement points as close as possible to the
resources● Avoid using bearer tokens● Follow least privilege principle● Do contextual access control and make access control decisions near
real-time● Automation● Distributed tracing and monitoring
![Page 24: Microservices Security Landscape · prabath@wso2.com | prabath@apache.org. ABOUT ME 2 ... Sharing user context Polyglot architecture. Gateway Pattern at the Edge . OAUTH 2.0 7. AUTHORIZATION](https://reader034.vdocuments.mx/reader034/viewer/2022052500/5f187c58d0edc711db775b82/html5/thumbnails/24.jpg)
End-to-End Flow