How to build secure microservices

Rick Blaisdell

July 14th, 2017

A few years back, everybody was looking for an architecture that would make web and mobile application development more flexible, reliable, efficient, and scalable. In 2014, we found the answer when an innovative architectural solution was developed—Microservice.

The fastest growing companies are built around microservices. What makes microservice architecture fascinating is its characteristics:

  • Microservices are organized around competencies like recommendations, front-end, user interface.
  • You can implement them using various programming languages, databases, software, and environment.
  • The services lend themselves to a continuous delivery software development process.
  • If there are any changes produced in the application, it requires only a few changes in a service.
  • Easy to replace with other microservices.
  • These services are independently deployable, autonomously developed, and messaging enabled. 

So, it’s easy to understand why a microservice architecture is a perfect way to accelerate both web and mobile application development. However, one needs to understand how to build secure microservices. Security is the top priority for every business. Designing a safe microservices architecture can be simple if you follow these guidelines:

  • Define access control and authorization – This is one of the crucial steps in reaching a higher level of security. It’s important to understand first how each microservice could be compromised and what damage could be done. This will make it much easier for you to develop a strategy that could safeguard against these incidents. 
  • Map communications – Outlining the entire communication methods between microservices will give you valuable insights on any vulnerability that might eventually be exploited in case of a malicious attack.
  • Use centralized security or configuration policies – Human error is one of the most common reasons why platforms, devices, or networks get hacked or damaged. It’s a fact! Employing a centralized security or configuration policy will reduce the human interaction with the microservices, and will build the long-desired consistency.
  • Establish common, repeatable coding standards – The repeatable coding standards must be set up right from the developing stage. It will reduce certain divergences that might lead to exploitable vulnerabilities.
  • Use ‘defense in depth’ to authorize vital services – From our experience, we know that a single firewall is not strong enough to protect our entire software. Thus, enabling a multi-factor authentication method, which places multiple layers of security controls is an effective way to ensure a robust security level.
  • Use automatic security updates – This is crucial and easy to set up.
  • Review microservices code – Having multiple experts reviewing the code is a great way of making sure that errors have not slipped through the cracks.
  • Deploy an API gateway – If you expose one or more APIs for external access, then deploying an API gateway could reduce security risks. Moreover, you need to make sure that all API traffic is being encrypted using TSL. Actually, TSL should be used for all internal communications, right from the beginning to ensure the security of your systems.
  • Use intrusion tools and request fuzzers – We all know that it is better to find issues before an attacker does. So, the technique ‘fuzz’ is a method that finds code vulnerabilities by sending large quantities of random data to the systems. This approach will ultimately highlight if the code could be compromised and what could cause it to fail. 

Now that we’re all set with the security measures required for building a microservices, I would like to make a quick overview of the benefits that this innovative architecture has to offer:

  • Fewer dependencies between teams
  • Run multiple initiatives in parallel
  • Support various technologies, frameworks, or languages
  • Promotes ease of innovation through disposable code 

Besides the tangible advantages named above, microservices are delivering increased value to your business, such as agility, comprehensibility of the software systems, independent deployability of components, and organizational alignment of services.

I hope that this article will help you build a secure microservices architecture that will add value to your business. 

About the Author

Rick Blaisdell is an experienced CTO, offering cloud services and creating technical strategies, which reduce IT operational costs and improve efficiency. He has 20 years of product, business development, and high-tech experience with Fortune 500 companies, developing innovative technology strategies.