Securing Microservices at API Gateway using Cloud Native Solutions

Securing Microservices at API Gateway using Cloud Native Solutions

Authentication and authorization in a microservices environment is non-trivial to implement correctly. This becomes especially true when identity and authorization controls are distributed across different applications. There has been multiple cases where authorization controls implemented for one application was missed for another application with similar feature and data access resulting in a breach.

We present a solution along with a proof of concept implementation for the problem described above — To be able to perform authentication and authorization for microservices in the API Gateway itself.

B377914eb25c288ba77475f191618a7e?s=128

Abhisek Datta

June 06, 2020
Tweet

Transcript

  1. Securing Microservices at API Gateway Using Cloud Native Solutions Abhisek

    Datta Head, Security Products Appsecco
  2. Nullcon Webinars

  3. About Me – Abhisek Datta • Head, Security Products (appsecco.com)

    • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek
  4. 1. The need for centralized Authentication and Authorization 2. Understand

    the role of API Gateway as a Security Gate 3. Proof of Concept Implementation using Traefik as API Gateway and Open Policy Agent (OPA) for policy management and evaluation Key Take Away
  5. This is not an introduction to Microservices We will look

    at an approach for securing Microservices using API Gateway as a Security Gate Learn more about Microservices https://microservices.io/
  6. AuthN & AuthZ in Microservices Identity Provider Client Oauth2 +

    OIDC Reverse Proxy Identity (JWT) Services Authentication & Authorization Established Trust
  7. API Gateway How do the clients of a Microservices- based

    application access the individual services?
  8. 1. Authenticate a request 2. Authorize a request 3. Route

    the request to backend microservice AuthN and AuthZ in API Gateway
  9. • API Gateway • Traefik https://containo.us/traefik/ • Policy Management and

    Enforcement • Open Policy Agent https://www.openpolicyagent.org/ Our Choice of Technology
  10. What we want to achieve

  11. Demo • This is a minimal proof of concept implementation

    for demonstration • It should not be considered for production use as is.
  12. Let's look inside the code

  13. • Use as a reverse proxy • Use dynamic configuration

    discovery • Routing and Load Balancing • Middlewares • https://docs.traefik.io/ Learning Traefik API Gateway
  14. • Introduction to Open Policy Agent • https://www.openpolicyagent.org/docs/latest/ • Rego

    Playground • https://play.openpolicyagent.org/ • Running Open Policy Agent (Lib/Server/Interactive) • https://www.openpolicyagent.org/docs/latest/#running-opa • Open Policy Agent for Kubernetes Admission Control • https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/ Learning Open Policy Agent
  15. • Proof of Concept Implementation • https://github.com/appsecco/opa-traefik-microservice-authz • Microservices Authorization

    using Open Policy Agent and Traefik (API Gateway) • https://blog.appsecco.com/microservices-authorization-using- open-policy-agent-and-traefik-api-gateway-ae30f3bf2846 Resources
  16. Questions? abhisek@appsecco.com That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek