The document summarizes security challenges and patterns for microservices architectures. It discusses how microservices introduce a broader attack surface and challenges around performance, deployment complexity, observability, and sharing user context. It then outlines several common security patterns for microservices including API gateways, mutual TLS authentication between services, JSON web tokens (JWT), policy evaluation, and service meshes. It provides examples of Istio and Open Policy Agent (OPA) for policy enforcement and Spiffe/Spire for identity management.

1. INTEGRATION SUMMIT 2019
Microservices Security Landscape
Prabath Siriwardena
Vice President - Security Architecture, WSO2
INTEGRATION

2. INTEGRATION SUMMIT 2019
Monolithic

3. INTEGRATION SUMMIT 2019
Microservices

4. INTEGRATION SUMMIT 2019
Broader attack surface
Performance
Deployment complexities
Observability
Sharing user context
Polyglot architecture
Challenges

5. INTEGRATION SUMMIT 2019
API Gateway Pattern

6. INTEGRATION SUMMIT 2019
Service to Service Security Patterns
● Trust the Network
● TLS Mutual Authentication
● JWT (JSON Web Token)

7. INTEGRATION SUMMIT 2019
Trust The Network

8. INTEGRATION SUMMIT 2019
Shared JWT + mTLS

9. INTEGRATION SUMMIT 2019
Nested JWT

10. INTEGRATION SUMMIT 2019
JWT with Token Exchange

11. INTEGRATION SUMMIT 2019
Policy Evaluation (Central Pdp)

12. INTEGRATION SUMMIT 2019
Policy Evaluation (Embedded Pdp)

13. INTEGRATION SUMMIT 2019
THANK YOU
wso2.com

14. INTEGRATION SUMMIT 2019
Spiffe / Spire

15. INTEGRATION SUMMIT 2019
Spiffe + OAuth 2.0

16. INTEGRATION SUMMIT 2019
Service Mesh
● A decentralized application networking infrastructure between
the services that provides, resiliency, security, observability,
and routing control.
● Comprised of a control plane and a data plane.

17. INTEGRATION SUMMIT 2019
Istio

18. INTEGRATION SUMMIT 2019
eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc4YjRjZjIzNjU2ZGMzOTUzNjRmMWI2YzAyOTA3NjkxZjJjZGZmZ
TEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTAyMjUxMTU4OTIwMTQ3
NzMyIiwiYXpwIjoiODI1MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21ucDRzcXY3ZXJodTEyMTFz
LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJwcmFiYXRoQHdzbzIuY29tIiwiYX
RfaGFzaCI6InpmODZ2TnVsc0xCOGdGYXFSd2R6WWciLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYX
VkIjoiODI1MjQ5ODM1NjU5LXRlOHFnbDcwMWtnb25ub21ucDRzcXY3ZXJodTEyMTFzLmFwcHMu
Z29vZ2xldXNlcmNvbnRlbnQuY29tIiwiaGQiOiJ3c28yLmNvbSIsImlhdCI6MTQwMTkwODI3MSwiZX
hwIjoxNDAxOTEyMTcxfQ.TVKv-pdyvk2gW8sGsCbsnkqsrS0T-H00xnY6ETkIfgIxfotvFn5IwKm3x
yBMpy0FFe0Rb5Ht8AEJV6PdWyxz8rMgX2HROWqSo_RfEfUpBb4iOsq4W28KftW5H0IA44Vm
NZ6zU4YTqPSt4TPhyFC9fP2D_Hg7JQozpQRUfbWTJI
JWT (Json Web Token)

19. INTEGRATION SUMMIT 2019
Spiffe / Spire
● Secure Production Identity Framework for Everyone.
● SPIFFE tries to solve the trust bootstrap problem in a platform
agnostic manner.
● SPIFFE provides an identity to each workload in a
microservices deployment, which is known as the SPIFFE ID.
E.g.: spiffe://acme.com/billing/payments

20. INTEGRATION SUMMIT 2019
Open Policy Agent (Opa)
● A lightweight general-purpose policy engine that can be co-located with
your service.
● Policies are written in Rego
● Can integrate OPA as a sidecar, host-level daemon, or library.
● Integrated with Spring, Service Mesh implementations (Istio, Linkerd),
Kafka
● https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa/
● Netflix is an early adopter of OPA

21. INTEGRATION SUMMIT 2019
Cross Domain