Back To Schedule
Thursday, October 10 • 1:00pm - 1:50pm
PRO WORKSHOP (MICROSERVICES): Securing Microservices in a Zero Trust Environment

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
The microservices architecture expands the attack surface with multiple microservices communicating with each other remotely. It’s a common principle in security that the strength of a given system is only as strong asthe strength of its weakest link. Unlike in any other system design, the repercussions will be extremely highly if we do not get right the security in a microservices deployment. In a microservices security design, we mainly worry about four things: Edge Security (OAuth 2.0, mTLS), Securing Service to Service communication (mTLS, JWT, Service Mesh), Security at the Deployment (Kubernetes, Docker), and Secure Development Lifecycle. After talking about microservices for many years, we have now started seeingmany microservices production deployments. Most of these deployments today, only worry about the edge security - by exposing the microservices via APIs - and protecting those with an API gateway. Once a request passes theAPI gateway, the communication between microservices assumes a trusted network, and exposes endless possibilities to an attacker gaining access to the network to exploit all valuable business assets exposed by themicroservices. Less emphasis on securing service to service communication happens due to couple of reasons. Mostly, the lack of awareness of the zero trust networking principles and associated risk factors, and the complexity of the available tools. The technology around securing service to service communication following zero trust security principles have evolved a lot in last couple of years and keeps evolving. Kubernetes has become the de facto deployment for microservices - and Istio has increased its support for securing service to service communication with mTLS and JWT. Also open source projects like SPIFFE and OPA are becoming mainstream to address key concerns in microservices security. In this talk I explore multiple service to service security patterns in a microservices deployment to support zero trust security principles, and how a project can evolve/mature its security design in phases.

API World 2019 Speakers
avatar for Prabath	Siriwardena

Prabath Siriwardena

Vice President, Security Architecture, WSO2
Prabath Siriwardena is an identity evangelist, author, and a blogger, with more than 12 years of industry experience in designing and building critical Identity and Access Management infrastructure for global enterprises, including many Fortune 100/500 companies. As a technology evangelist... Read More →

Thursday October 10, 2019 1:00pm - 1:50pm PDT
API World -- Workshop Stage A