MICRO-SERVICES SECURITY

Aamir Salaam

Presentation on: Oct 21, 2015 @ Cloud Security Alliance Meetup

Aamir Salaam – SOA Architect

1. Qualifications:

• MBA – Entrepreneurship, Santa Clara University

• MS – Computer Science, Golden Gate University

• BS – Computer Science, India

• Stanford University – Advanced Computer Security

2. Experiences:

• 18 yrs total – B2B & B2C Startups; Cisco Systems

• 10 + yrs Software Architecture, EA – Cisco Systems, Services

• SOA / microservices / APIs / API Management

Agenda

1. Overview of Microservices

2. Key Patterns

3. Security

4. Q & A

What are Microservices?

From book titled “Building Microservices” by Sam Newman:

“Microservices are small, autonomous

services that work together”

What are Microservices?

1. Small and Focused on Doing One Thing Well:

• Codebases growing large quickly similar functions dispersed

• Focus on business boundaries

• How small is small? focus on services aligned to team structures

2. Autonomous:

• Isolated service deployed on PAAS (Platform As A Service)

• Inter-service communication via network calls

• APIs

Microservices Benefits

1. Technology Heterogeneity

2. Resilience

3. Scaling

4. Ease of Deployment

5. Organizational Alignment

6. Composability

7. Optimizing for Replaceability

Key Design Patterns

1. Aggregator / Proxy

2. Chained

3. Async Messaging

and more …

Proxy Microservices Pattern

Chained Microservices Pattern

Asynchronous Microservices Pattern

Microservices Security

Service to Service Authentication and Authorization

• HTTPS over Basic Authentication

• SAML or Open ID Connect

• Client Certificates

• HMAC over HTTP

• API Key

Use Case

e.g. vulnerableProducts | customer –names | advisorydetails -u

Deployment

Microservices Principles

Source: Book on “Building Microservices” by Sam Newman, page 248

Wrap-Up

1. Microservices are small, focused on one thing doing

well, autonomous services

2. Proxy, Chained, Async Microservices Patterns

3. Security mostly using OAUTH – Client Credentials Flow