Do you remember how it felt to get your first email account? Not only were you able to communicate with multiple people in a fast and efficient manner, it also gave you an online identity you could use to access a wide range of services. As time progressed, though, you became increasingly aware of email’s downsides, which range from spam to malware attacks. Email illustrates a common pattern where any new technology goes from amazing to scary in a relatively short amount of time.
A few years ago, microservices were a hot new idea that took the pain out of building cloud-based, distributed applications. Specifically, microservices architectures enabled organizations to decompose their monolithic applications into compact, performant, and highly durable distributed software.
But there’s also a downside to microservices. When it comes to security, many of their benefits are potential weaknesses. For a start, the fact that microservices are small, widely distributed, and highly redundant means that you end up creating them in large numbers. Each time you create a new service or make copies of an existing one, you’re increasing the number of entities that require protection. Furthermore, you will need to ensure that you either deploy new microservices, or make changes to existing ones so that their underlying application code does not introduce new risks.
In addition to exploiting application code, attackers can take advantage of misconfigurations, infrastructure vulnerabilities, and valid accounts. This means that you also need to reduce the attack surface in the infrastructure layer. Unlike email, which has been around forever, the relative newness of microservices means that many organizations do not have clearly defined microservice security policies. Microservices are highly dependent on networking and supporting infrastructure, and if these are not secure, your microservices are also vulnerable. Finally, migrating compute resources to the cloud and accessing them via the public internet can result in exposing them to bad actors.
Despite the multiple challenges involved in trying to secure your microservices, help is at hand, and we will show you how you can create a secure environment for managing and deploying microservices. We’ll cover the principles and strategies involved in deploying secure microservices, key practices for getting started, and practical recommendations for ensuring that your microservices stay secure.
Basic Principles and Strategy
The first principle of microservices security is to know what microservices exist within your organization and how they are being used. But there are many other principles and strategies to consider as you employ microservices.
As a first step, you should consult with your organization’s stakeholders to understand the commercial and operational considerations for choosing microservices, as well as how to deliver value to your business and its customers. Specifically, you should discuss these matters with your development and operational teams.
Once you have a clear idea of which microservices exist, and how they are being used, your next step is to find out who is using them, and what they are using them for. This process will help you locate potential entry points and weak spots in your environment.
To do this, compile a list of all your personnel, suppliers, customers, and other external users. As part of the process, you should check the type of data they need to access and the system privileges they were granted in order to access it. Be sure to monitor your services, so you can track which of your internal systems interface with your microservices, and which external systems communicate with them.
Implement Secure DevOps
You’ll also need to combine analysis and tech with effective practices. Adopting secure DevOps will provide an extra level of security.
DevOps is the combination of development and operations into one process that handles the entire software delivery, deployment, and maintenance through a single seamless pipeline. This pipeline is built through a range of practices and is assisted by a variety of tools and the widespread adoption of automation.
Secure DevOps builds on the DevOps approach and integrates digital security into the mix. By migrating to secure DevOps you can ensure that security testing of your microservices is performed by your developers. This increases the likelihood that the security-related issues any single developer discovers will be quickly fixed, tested, and merged into your production builds. This will not only save you time and money, but also make your microservices code far more secure. If you have not joined the DevOps revolution, securing your microservices is a great way to get started.
Review Access and Policies
For each system you use, review the level of access, as well as the type of actions they are allowed to perform. You should also review the relevant internal IT security systems and policies, as well as those of the hosting services and cloud providers you use to run your service. This should be accompanied by an extensive review of your organization’s policies for data management, persistence, and retention. As part of this step, pay special attention to suspicious requests to sensitive systems and unusually high levels of network activity, such as mining of crypto currencies. These are both indicators of bad actors accessing your microservices.
When you have this information, you will use it to prioritize the security requirements of each microservice based on the sensitivity of the information it handles and the type of damage these services could inflict if misused. This will enable you to judge the relative importance of each service and how essential it is for the health and functioning of your company. Once you have a complete picture of your operational environment, and know the type of threats you are facing, you can plan for the short, medium, and long term.
When you have a clear picture of your environment and the potential vulnerabilities you face, you can start to implement practices and preventive measures to deal with them. At their core, microservices are very small, highly targeted applications that run on the same hardware and operating systems as traditional software. This means that many of the steps you need to secure your microservices are similar to, or the same as, those you would apply to your existing systems and server hardware.
As with most forms of network security, the first thing you should do is implement effective access control. This system will be responsible for authenticating users and will enable them to securely request data or perform other actions.
The system should use industry standards for identity management protocols, such as OAuth/OAuth2, and/or security tokens, such as JSON Web Tokens (JWT). An important requirement for your access control and identity management system is that you choose a single system that centralizes the entire process using a consistent rule set.
Most authentication systems use some form of encryption to ensure that user credentials are not exposed as plain text. Once you have an encryption infrastructure in place, you can use it for more than managing identity and access control. You can also use encryption to protect all user requests, system messages, and any data passed by and through your microservices and other entities.
After you have an access control system in place, turn your attention to your organization’s computing and networking infrastructure. As a first step, you should check that physical computing resources are not connected to the public internet. Second, as much as possible, your virtual machines and/or containers should not be hosted on public networks or accessible from them. By reducing your public profile, you are lowering the potential attack surface that bad actors can exploit.
If you are using a cloud provider such as Amazon Web Services (AWS), make sure you’re not using their default, lowest-level security settings and that you have policies that match your organization’s threat profile. If you are using containers, consider using a security scanner that checks for vulnerabilities and locates vulnerabilities in your deployed code. Intezer Protect detects vulnerable packages and misconfigurations at runtime.
You can also augment scanning with a network monitoring system that can detect abnormalities or issues that could be exploited by external sources. These anomalies include malware, misconfigurations, software vulnerabilities, stolen/leaked credentials, backdoors in the supply chain, and legitimate admin tools used by attackers to conduct attacks.
Unauthorized code or applications running in your production environment are indicative of attacks occurring in runtime. Intezer Protect is designed to shield your deployed workloads in the cloud and in containerized environments from unauthorized and malicious code. Intezer Protect detects in-memory threats and suspicious shell commands embedded in your software. It then allows you to terminate the processes and applications that run them.
Securing Your Code
When it comes to your application development environment, you should ensure that your source code does not include hard-coded credentials or security tokens. This step is important if your code is available through a company-wide source management system, or if you have made code available as part of an open-source project. You can ensure that your systems communicate with each other and client devices by using secure protocols, such as HTTPS. If you provide publicly accessible API endpoints, be sure to manage these through a secure API gateway.
Your applications should serialize and deserialize data as securely as possible. As with user authentication, applications should make extensive use of encryption. Note that it is important to use encryption standards, such as AES, RSA, or 3DES, and trusted libraries, rather than trying to write your own.
If your developers are using external dependencies such as open-source code, third-party libraries, or package-management systems such as NPM, PiP, or AppGet, you should compile a list of approved resources. You can also deploy a system that scans application source code for vulnerabilities and insecure dependencies. This scanning process can be integrated into your build system and CI/CD pipeline.
Delivering and Deploying Secure Microservices
Microservices are an increasingly popular tool for building and deploying scalable, cloud-based distributed applications. Among the reasons that microservice architectures are becoming more popular than monolithic applications is that they’re easier to build, cheaper to create and maintain, and simpler to deploy. Their rising popularity and obvious benefits make it easy to overlook their potential weaknesses and security vulnerabilities.
Countering these threats requires not only the use of your organization’s physical and technological resources but also the involvement of its human and operational resources and capital. Building truly secure software involves a sustained, long-term effort across your entire organization, including strong policies, vigilance, and controlled access—all of which are within your control.
Because there will always be factors outside of your control, such as unknown vulnerabilities, it’s essential to detect and respond to attacks as they occur at runtime. Intezer Protect offers a cloud-native approach to runtime protection, giving you the ability to stop malicious code in its tracks.
Track the latest malware variants and threat actors analyze.intezer.com