DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workkloads.

Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • Build a Stateless Microservice With GitHub Copilot in VSCode
  • From Prompt to Running Microservice: ServiceBricks Step-By-Step
  • Dropwizard vs. Micronaut: Unpacking the Best Framework for Microservices
  • Micro-Frontends in a Microservice Architecture

Trending

  • Revolutionizing Financial Monitoring: Building a Team Dashboard With OpenObserve
  • How Clojure Shapes Teams and Products
  • SQL Server Index Optimization Strategies: Best Practices with Ola Hallengren’s Scripts
  • Rust and WebAssembly: Unlocking High-Performance Web Apps
  1. DZone
  2. Data Engineering
  3. Data
  4. Identity, Microservices and Service Meshes

Identity, Microservices and Service Meshes

Find out more about microservices, service meshes, and service-to-service authorization.

By 
Wesley Dunnington user avatar
Wesley Dunnington
·
Nov. 21, 19 · Analysis
Likes (2)
Comment
Save
Tweet
Share
10.5K Views

Join the DZone community and get the full member experience.

Join For Free

Shadow profile of a man

Find your identity with Microservices.


A lot of our customers are talking about microservices. Some are well on their way down the path, others are just getting started, and some are still wondering if microservices are the best choice for them.

You may also like: Should I Use a Service Mesh?

While we can't tell every one of you what's best, we at Ping Identity are heavily involved in microservices, so much so that microservices are the basis for our second-generation platform, which underpins PingOne for Customers.

One thing we have learned from our development is that controlling access to microservices requires a defensive, standards-based approach, one that ensures workload security and fulfills the tenets of Zero Trust in a reliable, scalable manner.

The Basics of Microservices

Microservice architectures are commonly defined by a loosely coupled set of small service components, which can be organized to provide an application or a higher-level service. These services should be as lightweight as possible and loosely coupled from one another, talking to each other via standard protocols such as HTTP REST or gRPC.

The beauty of this simplification is that since services are small and modular, individual development teams can be responsible for all aspects of the service: design, development, deployment, scalability, and monitoring. These services hide underlying details such as programming language or database type.

Ideally, these services are stateless, which makes dynamic scaling and load balancing much simpler; the client does not know or care which instance of a service it talks to from request to request. Another benefit of statelessness is that it allows new implementations of service to be rolled out via "blue-green" or rolling deployment methodologies without introducing any downtime into the environment.

While microservices may be simpler, building a secure and resilient environment for services that can organize and manage the deployment of anywhere from tens to thousands of services is not a trivial undertaking.

This is why the vast majority of the organizations building microservices use Docker containers to package and distribute the services and Kubernetes to orchestrate the running of these containerized services.

More recently, enterprises have been adding service meshes, such as Istio, to connect these services and to provide much-needed capabilities such as load balancing, monitoring, and secure communications. After all those considerations have been addressed, the next topic to come up is usually identity and access, which is where we at Ping start getting interested.

Microservices and Identity

How can you best control access to microservices?

For many services, the answer often is OAuth and OpenID Connect tokens, typically produced by an Authentication Authority such as PingFederate. This works well for services that are called directly by API clients such as mobile applications, single-page apps or partner-hosted applications. PingAccess or an API Gateway can protect these services by rejecting requests from clients that do not have an OAuth access token and validating that the token was generated by a trusted authentication authority.

They can also use access control policies to ensure that the access token has the correct scope to access the particular API method. If used, the OpenID Connect Identity token will provide the identity of the caller to the services for content personalization or additional authorization decisions.

What About the Service(s) That Service Calls, or to Put It Another Way, Service-To-Service Authorization?

We all hope that none of our services are ever compromised and that attackers never find and exploit a weakness in our environment; however, we also all know that we need to build a defensive strategy so that if one of our services is compromised, it cannot be used as a pivot by attackers to attack other critical services, a technique often referred to as lateral movement.

We need to ensure that services have identities and roles and that the identity and role are checked on every service-to-service call so that the caller is properly authorized. Workload security is a fundamental pillar of a Zero Trust architecture and we need to apply that to our service mesh.

Another factor to consider is how we communicate a user's identity into the mesh from the outside and propagate it reliably from service to service if needed. How can we leverage that identity as an additional factor in deciding whether or not a particular service-to-service call is allowed?

We need to protect against the case where a user or attacker has figured out a vulnerability or discovered a way to directly call a service that is meant to be called only by other services.

By combining the security capabilities of the service mesh with the standards-based identity and entitlement capabilities that Ping's authentication authority provides, we can answer these questions and offer a consistent end-to-end security framework that provides identities, roles and enforcement for both users and services, while adhering to Zero Trust.


Further Reading

Introduction to Service Meshes on Kubernetes and Progressive Delivery

Managing Microservices With a Service Mesh: Data vs. Control Plane

An Overview of the Service Mesh and Its Tooling Options

microservice

Published at DZone with permission of Wesley Dunnington. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Build a Stateless Microservice With GitHub Copilot in VSCode
  • From Prompt to Running Microservice: ServiceBricks Step-By-Step
  • Dropwizard vs. Micronaut: Unpacking the Best Framework for Microservices
  • Micro-Frontends in a Microservice Architecture

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!