Colby Dyess|April 28, 2022
Improving Microservices Security: Applying Zero Trust Principles to Microservices Architectures
Microservices architectures enable developers to accelerate application delivery, but they also introduce new cybersecurity challenges—most notably, a much broader attack surface. Traditional, perimeter-oriented security tools are incapable of addressing the challenges of microservices security, but Zero Trust Network Access (ZTNA) is up to the task.
DevOps and DevSecOps have created controlled, easily deployable, secure and automated development-to-production processes that allow software updates multiple times per day with less risk.
When deploying applications on infrastructure in the cloud, APIs and algorithms allow developers to automate microservice workloads to install, test and deploy to production—or roll back the latest code change (known as infrastructure as code). This provides fast feedback to developers and greatly improves software development efficiency.
Microservices security challenges
However, with this efficiency comes microservices security intricacies. Applications that use a microservices architecture are more complicated and more open than their monolithic counterparts. This fact, plus the many APIs needed to facilitate communication between different microservices, creates a greatly expanded attack surface and difficulties when trying to address a microservices security strategy.
We all know traditional network security concepts don’t work well in the cloud or in cloud native security architectures. While built-in cloud concepts like security groups and container service meshes might work for simple applications, they lose their power as soon as you make a connection to or from various regions, clouds or technology stacks. Also, traditional approaches like network ACLs to filter IP addresses over intercloud connectivity (SD-WAN/IPSEC/MPLS) are poorly suited to ephemeral workloads that change IP addresses constantly or when multiple services share the same cluster IP.
Because the Zero Trust security paradigm does away with the notion of a perimeter—assuming instead that all actors, systems and services cannot be trusted—enforcing Zero Trust access offers an answer to the problems of microservices security and overall cloud native security architectures.
Improve microservices security with Zero Trust Network Access
Creating cloud native security architectures and microservices security strategies requires implementing API security in conjunction with authentication and access controls to secure the microservices themselves and connections between them.
Zero Trust principles meet these needs through a combination of measures that harden microservices security and cloud native security architectures:
- Reducing your attack surface
By making all internet-facing microservices APIs invisible to unauthenticated and unauthorized users or services, you can dramatically reduce the surface available for attackers to launch intrusions. One way to cloak your infrastructure is to use single packet authorization (SPA), which employs proven cryptographic techniques to make internet-facing assets invisible to unauthorized users or services. Only requesters that have been seeded with the cryptographic secret will be able to generate a valid SPA packet, which is used to “knock” on the receiving port—and only at this point does the asset become visible and the user or service is able to establish a network connection.
- Verifying identity and context
In cloud environments and cloud native security architectures, moving beyond IP-based access or simple username and password combinations is essential. A Zero Trust approach should employ identity-centric security that adapts access based on a multidimensional profile that incorporates a range of factors (e.g., user/service, device, application, contextual risk, location, etc.). This alternative replaces easily bypassed identity controls and cumbersome access lists and unifies user-to-service and service-to-service access into a single policy model—simplifying management and accelerating the power and agility of your Continuous Integration and Continuous Deployment (CI/CD) pipeline while improving your microservices security approach.
- Enforcing least privilege access
Least privilege access is essential to reduce your attack surface, limit your exposure and minimize an attacker’s opportunity to move laterally within your environment should they succeed in gaining access. Importantly, take care to consider both user-to-service and service-to-service access (within and across cloud environments). Microperimeters are an effective approach for enforcing least privilege access. This technique, also called microsegmentation, builds individual just-in-time session-based “segments of one” to provide fine-grained access to and between cloud workloads and microservices—effectively limiting lateral movement for microservices security without compromising DevSecOps agility.
- Continuously assessing risk
The dynamism of cloud environments demands continuous risk assessment to keep up with ever-changing context and entitlements, especially when tackling microservices security. To implement Zero Trust, you should automatically modify access in near real-time based on environment changes in context and risk, rather than assuming that an access request should be granted now just because it was granted previously. It’s also important to contribute to the feedback loop that enables continuous assessment through detailed logging; these logs also simplify audits and investigations.
Enabling DevOps and DevSecOps and microservices security with Zero Trust Network Access
When it comes to microservices security, Zero Trust access tools enable DevOps and DevSecOps agility. With a Zero Trust Network Access (ZTNA) solution, there aren’t additional hoops for developers to jump through—they can seamlessly access their resources every time, regardless of their location—and, in some cases, automation can be triggered by tickets that produce policy assignments, so the right access is given to the right team once the ticket is approved.
The largest ZTNA deployments have been proven to work with hundreds of thousands of users while achieving ultralow latency and linear scalable bandwidths, driven by things like autoscaling and stateless architectures to support microservices security. ZTNA also has an established track record of delivering secure access for any type of infrastructure, allowing you to use a single solution to enforce Zero Trust principles across your hybrid environments—from on-premises applications to cloud-native workloads running on microservices architectures in public clouds.
Improving microservices security with Zero Trust access
Appgate SDP, an industry-leading ZTNA solution, enhances and integrates with your technology stack and allows you to build security directly into the fabric of your business processes and workflows.
The extensible, 100% API-first technology enforces granular, secure access and allows you to build microservices security into your CI/CD pipelines by enforcing Zero Trust for any user, any device and any workload.
To learn more about microservices security and cloud native security architectures, visit our Zero Trust for Cloud resources hub.
Additional microservices security resources
- Microservices security podcast: Zero Trust for a Cloudy, K8s, DevOps World
- Cloud Protection: Build a Secure Cloud Network Using Zero Trust
- Secure DevOps Workloads in the Cloud
- What’s Ahead for Cloud Security and Hybrid Work in 2022?
- Microservices Security: Appgate Announces Cloud-Native Zero Trust for Kubernetes Workloads