Last Updated on October 3, 2023
What is a Microservice Architecture and How Do I Secure It?
Microservice architectures are now software mainstay. But the distributed, interconnected nature of microservices, including calls to third-party code, greatly impacts software security. Unlike traditional “monolithic” applications, which have limited data entry/exit points, microservices create a highly complex, almost borderless attack surface.
Laura Bell Main, CEO and Founder at SafeStack, explains challenges and solutions for securing microservice architectures in today’s fast-paced DevOps environments.
Join us as we discuss:
- How microservices escalate software supply chain risk and create new issues with managing that risk
- How Zero Trust concepts relate to securing microservices
- Why using microservices drives a need for close collaboration between development and security teams
What is a microservices architecture?
In contrast to a traditional, “monolithic” application architecture, a microservice architecture is partly or entirely deconstructed into separate, discrete services, each with a “single responsibility” to play in the overall system. These microservices make frequent calls to one another and to other code and software libraries, including third-party libraries.
Microservices can be simpler to maintain and update than large, complex applications. They can also be written in a choice of programming languages.
But keeping track of all those microservices and their relationship can be a challenge, especially if you have hundreds or thousands. As Laura points out, “Being able to keep and rationalize that in your head, and be able to map it out and understand the connectivity between it can be challenging. There’s definitely an increased importance on the role of an architect when you are embracing these things.”
“There’s definitely an increased importance on the role of an architect when you are embracking these things.”—Laura Bell Main
How do microservices and APIs relate?
When an application uses microservices, those microservices need to communicate back and forth intensively. They typically do that using application programming interfaces (APIs).
In a nutshell, microservices are the functions and APIs are how those functions are accessed across the applications. Some microservices likewise use APIs to call third-party code, cloud-based services, etc. This makes the software supply chain associated with microservices potentially very complex and risky—which makes managing that supply chain more important than ever.
Laura notes: “That’s why we’re seeing it echoed through the guidance coming out of the Cybersecurity and Infrastructure Security Agency (CISA), the executive order from President Biden. That software supply chain thing that we’ve been tangentially aware of for awhile… We’re really now starting to realize the impact of it.”
“That software supply chain thing that we’ve been tangentially aware of for awhile… We’re really now starting to realize the impact of it.”—Laura Bell Main
How do microservices change software security?
With traditional applications it’s relatively simple to identify all the places where data goes in and out, and where you need to put security controls.
But when applications get decomposed into microservices, those components—and the code they call and the code that code calls and so on—tend to spread onto different servers, networks, cloud platforms, etc. The application perimeter can be practically unbounded.
“Planning where to put your controls and defenses is a different thing [with microservices],” notes Laura. “Instead of having one big defense around the outside, you’re looking at the different trust zones inside of a much more complex network.”
“Instead of having one big defense around the outside, you’re looking at the different trust zones inside of a much more complex network.”—Laura Bell Main
Teamwork is essential to securing microservices
To secure microservices applications, security teams must work very closely with development teams to create controls that can flow at the speed of DevOps—but don’t negatively affect application scalability, performance, or delivery timeframes.
“These [microservice] architectures are now very dynamic and fast-moving,” Laura points out. “How long does it take for messages to get through my network? What’s the performance and scaling of that? How many requests per second can I handle? Those are all very pertinent questions to a development team right now—especially if they’re decomposing into services.”
“How long does it take for messages to get through my network? How many requests per second can I handle? Those are all very pertinent questions to a development team right now—especially if they’re decomposing into services.”—Laura Bell Main
It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!