Securing Microservices at API Gateway using Cloud Native Solutions

Slide 1

Slide 1 text

Securing Microservices at API Gateway Using Cloud Native Solutions Abhisek Datta Head, Security Products Appsecco

Slide 2

Slide 2 text

Nullcon Webinars

Slide 3

Slide 3 text

About Me – Abhisek Datta • Head, Security Products (appsecco.com) • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek

Slide 4

Slide 4 text

1. The need for centralized Authentication and Authorization 2. Understand the role of API Gateway as a Security Gate 3. Proof of Concept Implementation using Traefik as API Gateway and Open Policy Agent (OPA) for policy management and evaluation Key Take Away

Slide 5

Slide 5 text

This is not an introduction to Microservices We will look at an approach for securing Microservices using API Gateway as a Security Gate Learn more about Microservices https://microservices.io/

Slide 6

Slide 6 text

AuthN & AuthZ in Microservices Identity Provider Client Oauth2 + OIDC Reverse Proxy Identity (JWT) Services Authentication & Authorization Established Trust

Slide 7

Slide 7 text

API Gateway How do the clients of a Microservices- based application access the individual services?

Slide 8

Slide 8 text

1. Authenticate a request 2. Authorize a request 3. Route the request to backend microservice AuthN and AuthZ in API Gateway

Slide 9

Slide 9 text

• API Gateway • Traefik https://containo.us/traefik/ • Policy Management and Enforcement • Open Policy Agent https://www.openpolicyagent.org/ Our Choice of Technology

Slide 10

Slide 10 text

What we want to achieve

Slide 11

Slide 11 text

Demo • This is a minimal proof of concept implementation for demonstration • It should not be considered for production use as is.

Slide 12

Slide 12 text

Let's look inside the code

Slide 13

Slide 13 text

• Use as a reverse proxy • Use dynamic configuration discovery • Routing and Load Balancing • Middlewares • https://docs.traefik.io/ Learning Traefik API Gateway

Slide 14

Slide 14 text

• Introduction to Open Policy Agent • https://www.openpolicyagent.org/docs/latest/ • Rego Playground • https://play.openpolicyagent.org/ • Running Open Policy Agent (Lib/Server/Interactive) • https://www.openpolicyagent.org/docs/latest/#running-opa • Open Policy Agent for Kubernetes Admission Control • https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/ Learning Open Policy Agent

Slide 15

Slide 15 text

• Proof of Concept Implementation • https://github.com/appsecco/opa-traefik-microservice-authz • Microservices Authorization using Open Policy Agent and Traefik (API Gateway) • https://blog.appsecco.com/microservices-authorization-using- open-policy-agent-and-traefik-api-gateway-ae30f3bf2846 Resources

Slide 16

Slide 16 text

Questions? [email protected] That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek