Organizations are increasingly integrating microservices into their software development processes. As noted by DZone, microservices break down software into multiple component services, thereby enabling organizations to deploy parts of an application without compromising the integrity of the entire program.
This property also allows developers to address a microservice that starts acting up. The other microservices will continue functioning while the malfunctioning component remains offline; once the change is made, developers can independently modify and redeploy the element. Finally, their independent nature makes microservices highly scalable and easy to integrate with third-party services.
The trouble with microservices
Microservices do present their fair share of security challenges. For instance, they introduce complexity into the network environment that expands the attack surface. Indeed, microservices communicate with each other via APIs that don’t use machine architecture or programming language. Kong explains that this communication creates more attack vectors and increases the number of failure points which malicious actors can exploit.
Such complexity also makes traditional security measures more difficult to enforce. A more complex network environment with more connected services generates more logs. That’s a problem, as greater numbers of logs help to conceal security issues that pop up on the network. Security personnel won’t be able to manually manage the logs in response.
In response to these and other challenges, organizations need to adopt a different approach to securing their microservices. As quoted by Kong:
… [W]e arrive at the priority of forward-looking security design. Far from indicating a “my way” approach from a siloed security authority team, we have come to a point in DevOps culture where all possible factors contribute to considerations that form the basis of a stable security policy and protocol formation process. Without knowing how everyone is going to be impacted inside their changing day-to-day (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by David Bisson. Read the original post at: https://resources.infosecinstitute.com/implementing-a-zero-trust-model-the-key-to-securing-microservices/