API World + AI DevWorld

The microservices architecture expands the attack surface with multiple microservices communicating with each other remotely. It’s a common principle in security that the strength of a given system is only as strong asthe strength of its weakest link. Unlike in any other system design, the repercussions will be extremely highly if we do not get right the security in a microservices deployment. In a microservices security design, we mainly worry about four things: Edge Security (OAuth 2.0, mTLS), Securing Service to Service communication (mTLS, JWT, Service Mesh), Security at the Deployment (Kubernetes, Docker), and Secure Development Lifecycle. After talking about microservices for many years, we have now started seeingmany microservices production deployments. Most of these deployments today, only worry about the edge security - by exposing the microservices via APIs - and protecting those with an API gateway. Once a request passes theAPI gateway, the communication between microservices assumes a trusted network, and exposes endless possibilities to an attacker gaining access to the network to exploit all valuable business assets exposed by themicroservices. Less emphasis on securing service to service communication happens due to couple of reasons. Mostly, the lack of awareness of the zero trust networking principles and associated risk factors, and the complexity of the available tools. The technology around securing service to service communication following zero trust security principles have evolved a lot in last couple of years and keeps evolving. Kubernetes has become the de facto deployment for microservices - and Istio has increased its support for securing service to service communication with mTLS and JWT. Also open source projects like SPIFFE and OPA are becoming mainstream to address key concerns in microservices security. In this talk I explore multiple service to service security patterns in a microservices deployment to support zero trust security principles, and how a project can evolve/mature its security design in phases.