Do You Trust Your Microservices Identities?
In this article, see how identities are established and see whether you can trust your microservices identities.
Join the DZone community and get the full member experience.Join For Free
Microservices provide great benefits to development organizations. They enable multiple autonomous development teams to work on the same application, maintaining efficiency, speed, and utilization of modern resources such as open source, containers, and programming languages. The Microservice paradigm simplifies application building, debugging, management, deployment, scalability, and of course time to market.
In this new world of Microservices, a common practice is to use different forms of microservices identity in order to simplify the provisioning of policies and configurations, these could be routing policies in a services mesh, load-balancing rules, and security policies such as data access and network policies.
With service identity taking such a central role, it is key for security-minded organizations to take a closer look at how identities are established in their environment and how secured these identities are.
How Are Identities Established? Can You Trust Your Microservices Identities?
The most basic usage of microservice identity is for microservices to identify themselves to other microservices as they communicate with them or when accessing controlled resources. However, how much can we trust such identification? When a solution is penetrated, what would prevent malicious software from posing as a legitimate service? The answer is authentication. Authentication is a must-have security mechanism for any identity based operational model.
For authentication to be trustworthy, it must be based on something that can’t be copied or faked – a secret that nobody else can obtain. Traditional authentication methods use private keys, passwords, Java Web Tokens (JWT), or similar tokens. These models have two fundamental security problems that must be addressed.
1. The“Chicken and Egg” Problem of Identity Establishment
As described above, services authenticate each other using secrets. However, how does a service get that secret in the first place? We refer to this as the “chicken and egg” problem because a service needs a secret to be authenticated, and it needs to be authenticated to obtain the secret.
This “chicken and egg” problem is even more significant in a highly dynamic microservice environment because services go up and down constantly, auto-scale, and may run on different nodes. These services don’t share any common security protocols or infrastructures. Using environment attributes such as service name, node name, and other attributes cannot be considered secure because any malicious software has access to this information, yet they are used due to lack of a better option.
2. Protecting Secrets After They Are Distributed
Since service authentication may be required at any time during the service life-cycle, the service must be able to protect its secrets after they have been obtained, regardless of how the secrets were distributed. For interoperability reasons, communicating services use standard security protocols and algorithm implementations. These implementations are often open source. They require secrets to be present in memory while they are used.
When service software or device are compromised, these secrets can be easily stolen from the memory because the attackers know what to look for. This problem of protecting secrets in-use is one of the most complicated problems in cryptography.
Proposed Solution for Secured Identity Authentication in Microservices
Learning from the user authentication experience, we know that legacy secret-based authentications such as passwords were replaced by multi-factor authentications or stronger bio-metric type of authentications. It is no more just about “what you have” (your token”) it is also about “what you are” (your retinal scan, fingerprint, etc..)
Hope you found my content interesting. I always appreciate getting feedback and discussing ideas, please feel free to drop me a line or follow me on LinkedIn https://www.linkedin.com/in/shaulirozen/
Opinions expressed by DZone contributors are their own.