The benefits of microservices architecture -- smaller development teams, faster release cycles, fewer dependencies, less risk -- are becoming widely known, thanks to companies like Amazon, Google, and Netflix sharing their experiences. Less widely understood are the security challenges introduced by this new paradigm, but the engineers in the vanguard have wisdom to offer on this front as well.
You need to keep in mind more than a few details before you rip the wrapping off the shiny new app containers. Instead of securing one monolithic app or a couple, you're now responsible for perhaps dozens of smaller services, all capable of interacting with each other in a number of ways. What's more, you're trying to secure those services from outside attack and internal misuse, deliberate or not.
Not like the old days
Yesterday's monolithic apps were big and inflexible, and the service-oriented architectures created to replace them had their own complexities. Replacing these stacks with loosely coupled applications deployed via immutable containers seems like a step in the right direction, and it is. But it also means several key breakaways from tradition, many of which affect security.
As Eric Knorr put it in his discussion of winning with microservices, these sea changes mean developers end up shouldering responsibilities once held by operations. Security inside of and between microservices falls into that category. A good argument could be had about who has the better understanding of security -- dev or ops -- but remember that developers own the APIs that govern how services interact with other services and with the outside world. That is, much of the security burden falls to them.
For the ops folks, securing microservices means discarding assumptions about even what tools can be used. Owen Garrett, head of products at Nginx, said in an email, "Much of the technology that has been developed to manage traditional Web-based applications … will not map directly to microservices applications." This includes security, not only Web application firewalls, "but internal IDS processes too."
Both front end and back end
Another reason microservices make security tougher: There are many more moving parts to attack.
As Garrett explained, "The attack surface of a microservices app can be much greater [than a traditional monolithic application]." With older apps, "the attack surface is very linear -- traffic hits the load balancer, then the Web (presentation tier), and then the application and data tiers."
But with microservices, Garrett noted the flow is entirely different: "It's generally necessary to expose a large number of different services so that external applications can address them directly, leading to a much greater attack surface."
Sign up for CIO Asia eNewsletters.