Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Microservices at API Gateway using Cloud Native Solutions

Abhisek Datta
June 06, 2020
Technology
1
380

Securing Microservices at API Gateway using Cloud Native Solutions

Authentication and authorization in a microservices environment is non-trivial to implement correctly. This becomes especially true when identity and authorization controls are distributed across different applications. There has been multiple cases where authorization controls implemented for one application was missed for another application with similar feature and data access resulting in a breach.

We present a solution along with a proof of concept implementation for the problem described above — To be able to perform authentication and authorization for microservices in the API Gateway itself.

Abhisek Datta

June 06, 2020
Tweet

More Decks by Abhisek Datta

See All by Abhisek Datta
Kubernetes from an Attacker's Perspective - fwd:CloudSec 2020
abhisek
0
360
Kubernetes 101 for Penetration Testers - null Mumbai
abhisek
5
3.7k
Kubernetes From an Attacker's Perspective
abhisek
4
7k
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
460
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
620
Towards Verifiable Infrastructure Security
abhisek
0
180
Your Internet Exposure the Makes You Vulnerable
abhisek
0
160
Towards Verifiable Infrastructure Security
abhisek
0
62
Mobile Appsec from an attacker's perspective
abhisek
0
450

Other Decks in Technology

See All in Technology
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
290
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
3
280
開発パフォーマンスを最大化するための開発体制
ham0215
2
260
ServiceNow Knowledge Learning Rise up
manarobot
0
200
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
140
本当のAWS基礎
toru_kubota
0
500
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
120
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
160
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
750
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.7k
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
390

Featured

See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Statistics for Hackers
jakevdp
789
220k
Six Lessons from altMBA
skipperchong
21
3k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
How to train your dragon (web standard)
notwaldorf
73
5.2k
GraphQLとの向き合い方2022年版
quramy
32
12k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k
What the flash - Photography Introduction
edds
64
11k
The Cult of Friendly URLs
andyhume
74
5.7k

Transcript

  1. Securing Microservices at API Gateway Using Cloud Native Solutions Abhisek

    Datta Head, Security Products Appsecco

  2. Nullcon Webinars

  3. About Me – Abhisek Datta • Head, Security Products (appsecco.com)

    • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek

  4. 1. The need for centralized Authentication and Authorization 2. Understand

    the role of API Gateway as a Security Gate 3. Proof of Concept Implementation using Traefik as API Gateway and Open Policy Agent (OPA) for policy management and evaluation Key Take Away

  5. This is not an introduction to Microservices We will look

    at an approach for securing Microservices using API Gateway as a Security Gate Learn more about Microservices https://microservices.io/

  6. AuthN & AuthZ in Microservices Identity Provider Client Oauth2 +

    OIDC Reverse Proxy Identity (JWT) Services Authentication & Authorization Established Trust

  7. API Gateway How do the clients of a Microservices- based

    application access the individual services?

  8. 1. Authenticate a request 2. Authorize a request 3. Route

    the request to backend microservice AuthN and AuthZ in API Gateway

  9. • API Gateway • Traefik https://containo.us/traefik/ • Policy Management and

    Enforcement • Open Policy Agent https://www.openpolicyagent.org/ Our Choice of Technology

  10. What we want to achieve

  11. Demo • This is a minimal proof of concept implementation

    for demonstration • It should not be considered for production use as is.

  12. Let's look inside the code

  13. • Use as a reverse proxy • Use dynamic configuration

    discovery • Routing and Load Balancing • Middlewares • https://docs.traefik.io/ Learning Traefik API Gateway

  14. • Introduction to Open Policy Agent • https://www.openpolicyagent.org/docs/latest/ • Rego

    Playground • https://play.openpolicyagent.org/ • Running Open Policy Agent (Lib/Server/Interactive) • https://www.openpolicyagent.org/docs/latest/#running-opa • Open Policy Agent for Kubernetes Admission Control • https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/ Learning Open Policy Agent

  15. • Proof of Concept Implementation • https://github.com/appsecco/opa-traefik-microservice-authz • Microservices Authorization

    using Open Policy Agent and Traefik (API Gateway) • https://blog.appsecco.com/microservices-authorization-using- open-policy-agent-and-traefik-api-gateway-ae30f3bf2846 Resources

  16. Questions? [email protected] That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek