Microgateways: Zero Trust Security for the Microservices World
According to a recent Forrester report, The Future Of Identity And Access Management, microservices-based IAM is fast-replacing complex and monolithic legacy solutions. Why? Microservices- and API-based solutions show faster time-to-value, provide flexibility for changing requirements, and support mobile and IoT technologies.
New business models, based on the ability to monetize APIs (i.e. charge for usage) make APIs and microservices accessible to broader audiences, create new revenue streams, while opening businesses to additional risk. One approach to mitigating the risks associated with the monetization of APIs and microservices, is the use of fine grained authentication and authorization. But how can development teams incorporate sophisticated security without adding layers of complexity?
In a recent ForgeRock and KuppingerCole webcast, we discussed one of the key trends we see in DevOps — externalizing microservices security. By externalizing security you benefit from a security strategy that’s simple, consistent, and adaptable; freeing up much-needed resources.
Microservices and microgateways can run in multiple containers to form a single unit of deployment – effectively building a zero trust model. Unlike traditional API gateways, they can be co-located and share resources, such as network or storage.
In the zero trust model, DevOps is king!
A gateway needs to support the deployment and scalability of your microservice (e.g. having the ability to run your microservice in Docker and be deployable by Kubernetes). Microgateways are a flexible deployment model that enables you to efficiently drive changes through your continuous integration and continuous delivery (CI/CD) pipeline, from development to production.
With microgateways as a microservices security solution, you can securely innovate and keep up with your ever changing business needs.
Key characteristics of a sound microservices security strategy
Simplicity: Microservices are single-purpose programs. Any non-relevant functionality should be moved elsewhere, or developed separately. Programmatic security in the microservice can create an overload. Adding token caching and validation to each individual microservice creates bottlenecks and reduces scalability.
Consistency: A strong security strategy is replicable and consistent in its deployment. Adopt reliable procedures that are well understood, tested, and certified.
Modernizing: Microservices won’t replace monolithic infrastructures overnight. A gateway needs to integrate existing infrastructure with modern services, and apply request and response transformations when necessary.
Adaptable: A token type and procedure may be sufficient today, but what about tomorrow? You may need to evolve from OAuth2 to OAuth2 with Proof-of-Possession or another type of protocol. An adaptable solution allows for changes to authentication and authorization methods without the need to touch individual microservices