Evolution of Deployment Architectures
I’Curity Microservices Architecture and Security
Zero trust model requires us to enforce container security (container and image scanning for malware) and code/CI pipeline security controls, transactional (L4 & L7 traffic) security controls.
We specialise in L4 and L7 Traffic Identity and Security Controls – Microservice architectures include Proxies, Containers and Service Orchestration platforms. Identity and other security controls can be applied at both the proxies and on the orchestration platforms.
You can AuthN and AuthZ system accounts and normal users or workloads themselves on a orchestration (kurbenetes) platform using the following:
- OAuth & OIDC tokens
- X509 Client Certs
- Other security tokens
- Password files
Proxies can be centralised or decentralised in your API architecture landscape. In an on-premise microservices deployment, a centralised proxy with a distributed cache, shared config and data store between different proxy nodes can be used. You can apply RBAC, ABAC, Impersonation, OAuth tokens controls at this policy enforcement point. This is suitable for deployments that a simplistic and perhaps where a central ESB is still in place and the number of APIs or web services is relatively small thus manageable.
In hybrid, cloud to cloud, serverless/FAAS deployments, the microservice deployment is more complex. Thus a service mesh is often used for observability, resiliency, traffic control, policy enforcement and security. In a service mesh there is the data plane and the control plane. The data plane is fronted by a sidecar (workload proxy) which sits next to your workload. This results in a decentralised proxy deployment. The service mesh improves upon security/IAM model built into your kurbenetes pods and sometimes inside your code (results in duplication and maintenance problems). The sidecar and control plane are expected to:
- Service Discovery: Microservices discovery and management across platforms (on-prem, cloud etc.).
- Security: Encrypt end-to-end with mutual TLS. This is particularly crucial where PII information is sent from workload to another
- Identity & Access Management
- Observability: Telemetry data, Tracing & logging
- Scalability, portability and interoperability, availability
- Load balancing
- Canary deployments
- Rate limiting
- Circuit breaking
To achieve this we make use of KONG Service Mesh, Istio, Envoy , Apache Skywalking together with our ODIP platform to ensure identity and security is propagated throughout your microservices ecosystem.
We specialize in cyber-security solutions across different industry verticals. Our core value proposition is our ability to deliver robust, transformative and visionary identity platforms to enable and secure your digital transformation strategies.