Cloud Native Application Architecture & Security
During your company’s modernisation, you will need to transition your monolithic applications towards a distributed Microservices architecture for portability which is a characteristic of Native Cloud Applications (NCA). Furthermore there are emerging patterns and technologies such as IoT and serverless computing that require new API economy architecture patterns. Security is a major concern and there is a lack of standardisation.
How do you authenticate (AuthN) and authorise (AuthZ) vertical (north-south) and horizontal traffic (east-west) in-and-out of a microservice? How do you maintain sessions across microservices, do you need to? How do you ensure that the identity context is perpetuated across microservices, on-prem, hybrid, cloud, cloud to cloud deployments to ensure security and non-repudiation?
East-West traffic has increased and will continue to increase due to rapid adoption of microservices. This means we cannot trust traffic within the organisation (behind the perimeter) like we used to. Bear in mind with microservices and DevOps, we use tools and partner libraries in our solutions to speed things up and for reuse. Automation is good and is bad, sometimes you can download a compromised partner library in you CI/CD pipeline without knowing and this can lead to a breach.
We have to adopt a zero-trust model within the intra-net and beyond.
Evolution of Deployment Architectures
I’Curity Microservices Architecture and Security
Zero trust model requires us to enforce container security (container and image scanning for malware) and code/CI pipeline security controls, transactional (L4 & L7 traffic) security controls.
We specialise in L4 and L7 Traffic Identity and Security Controls – Microservice architectures include Proxies, Containers and Service Orchestration platforms. Identity and other security controls can be applied at both the proxies and on the orchestration platforms.
Orchestrators
You can AuthN and AuthZ system accounts and normal users or workloads themselves on a orchestration (kurbenetes) platform using the following:
- OAuth & OIDC tokens
- X509 Client Certs
- Other security tokens
- Password files
Proxies
Proxies can be centralised or decentralised in your API architecture landscape. In an on-premise microservices deployment, a centralised proxy with a distributed cache, shared config and data store between different proxy nodes can be used. You can apply RBAC, ABAC, Impersonation, OAuth tokens controls at this policy enforcement point. This is suitable for deployments that a simplistic and perhaps where a central ESB is still in place and the number of APIs or web services is relatively small thus manageable.
In hybrid, cloud to cloud, serverless/FAAS deployments, the microservice deployment is more complex. Thus a service mesh is often used for observability, resiliency, traffic control, policy enforcement and security. In a service mesh there is the data plane and the control plane. The data plane is fronted by a sidecar (workload proxy) which sits next to your workload. This results in a decentralised proxy deployment. The service mesh improves upon security/IAM model built into your kurbenetes pods and sometimes inside your code (results in duplication and maintenance problems). The sidecar and control plane are expected to:
- Service Discovery: Microservices discovery and management across platforms (on-prem, cloud etc.).
- Security: Encrypt end-to-end with mutual TLS. This is particularly crucial where PII information is sent from workload to another
- Identity & Access Management
- Observability: Telemetry data, Tracing & logging
- Scalability, portability and interoperability, availability
- Load balancing
- Canary deployments
- Rate limiting
- Recovery
- Circuit breaking
To achieve this we make use of KONG Service Mesh, Istio, Envoy , Apache Skywalking together with our ODIP platform to ensure identity and security is propagated throughout your microservices ecosystem.
We specialize in cyber-security solutions across different industry verticals. Our core value proposition is our ability to deliver robust, transformative and visionary identity platforms to enable and secure your digital transformation strategies.