Securing Microservices APIs summary

This is a summary of the O’Reilly book Securing Microservices APIs by Matt McLarty, Rob Wilson, and Scott Morrison.


Microservices architecture was popularized by Martin Fowler in 2014 and describes a architecture pattern consisting of:

  • Service Orientation
  • Independent deployability and managability
  • Ephemerality and elasticity

Most of the time, APIs are used as the interface between micro services. Access control for these APIs should be thought of using the IAAA model:

  • Identification
  • Authentication
  • Authorization
  • Accountability (audit)

Access Control for Microservices

The following controls are techniques for micro services:

  • Network:
    • Localhost isolation – explicit whitelisting for your hosts
    • Network Segmentation – aka breaking your network up into smaller networks. (i.e. separate physical networks, VPNs, or tunnels)
    • SSL/TLS end to end – everybody should use it even though it is expensive
    • SPIFFE (Sunil James’ company) is open source project that defines a new kind of x.509 cert (called an SVID) that makes it easier to assert identity for micro services. If I understand it correctly, service permissions can be defined within the SVID and the SVIDs can be verified independently. Perhaps a VPN definition in a document
  • Application layer:
    • Web Tokens – easy but easily hijacked
    • SAML – good but locked to a single app (Can’t delegate access between apps)
    • API Keys – easy but can be sniffed
    • OAuth2.0 – excellent but relies on a handshake between resources owners which may not work with micro services where there are lots of different services that are in a chain
    • OpenID connect – builds on OAuth by establishing identity (on top of OAuth’s authentication focus)
    • JWT – JSON Web Token still new
  • Infrastructure
    • Proxies/Gateways
    • Network Overlays
    • Pass specific services:
      • Kubernetes – service accounts
      • Cloud Foundry – router aka gorouter
      • AWS – AWS IAM (this API is what’s been getting exploited)
  • Service Meshes
    • Control plane for microservices
    • Envoy, Istio, Envoy
    • Istio uses SPIFFE as a standard
  • Serverles

Best Practices / Patterns

  • DHARMA – (Domain hierarchy access regulation for Microservices Architecture). Basically this seems like an services viewpoint of VPNs. You create private “zones” of trust and place various Microservices into each of them with specific entries/exits
  • Implementing DHARMA is hard, as there are lots of little details about how each zone communicates with other zones, how authorization works, access control, and identity.