Reader small image

You're reading from  Building Microservices with .NET Core

Product typeBook
Published inJun 2017
Reading LevelIntermediate
PublisherPackt
ISBN-139781785887833
Edition1st Edition
Languages
Right arrow
Authors (3):
Gaurav Aroraa
Gaurav Aroraa
author image
Gaurav Aroraa

Gaurav Aroraa has done M.Phil in computer science. He is a Microsoft MVP, life time member of Computer Society of India (CSI), certified as a scrum trainer/coach, XEN for ITIL-F and APMG for PRINCE-F and PRINCE-P. Gaurav serves as a mentor at IndiaMentor, open source developer, contributor to TechNet Wiki co-founder of Innatus Curo Software LLC. In 19+ years of his career, he has mentored thousands of students and industry professionals. You can tweet Gaurav on his twitter handle @g_arora
Read more about Gaurav Aroraa

Lalit Kale
Lalit Kale
author image
Lalit Kale

Lalit Kale is a technical architect and consultant with more than 12 years of industry experience. Lalit has helped clients achieve tangible business outcomes through the implementation of best practices in software development. He is a practitioner of TDD and DDD, and a big believer in agile and lean methodologies. He has worked with several organizations, from start-ups to large enterprises, in making their systems successful, be it in-house or mission critical, with clients in the USA, the UK, Germany, Ireland, and India. His current interests include container technologies and machine learning using Python. He holds a bachelor's degree in engineering (IT).
Read more about Lalit Kale

Manish Kanwar
Manish Kanwar
author image
Manish Kanwar

Manish Kanwar completed his masters of science in computer applications from MD University, India, and is a cofounder of Innatus Curo Software LLC, with a presence in India. He has been working in the IT industry across domains for the last 17 years. He started exploring .NET right from the first release and has been glued to it ever since. His range of experience includes global wealth management (financial service industry, USA), life insurance (insurance industry, USA), and document management system (DMS), ECMS, India. Manish does his bit for the community by helping young professionals through the IndiaMentor platform.
Read more about Manish Kanwar

View More author details
Right arrow

Chapter 6. Security

Security is one of the most important cross-cutting concerns for web applications. Unfortunately, data breaches of well-known sites seem common news these days. Taking this into account, information and application security has become critical to web applications. For the same reason, secure applications now should not be an afterthought. Security is everyone's responsibility in an organization.

Monolithic applications have less surface area when compared to microservices. However, microservices are distributed systems by nature. Also, in principle, microservices are isolated from each other. Hence, well-implemented microservices are more secure, compared to monolithic applications. Monolith has different attack vectors compared to microservices. The microservice architectural style forces us to think differently in the context of security. However, let me tell you upfront, microservice security is a complex domain to understand and implement.

Before we deep dive into...

Security in monolithic applications


To understand microservice security, let's step back and recall how we used to secure .NET monolithic applications. This will help us better grasp why a microservice's authentication and authorization mechanism needs to be different.

The critical mechanism to secure applications has always been authentication and authorization. Authentication verifies the identity of a user. Authorization manages what a user can or cannot access, which is nothing but permissions. And encryption, well, that's the mechanism that helps you protect data as it passes between the client and server. We're not going to discuss a lot about encryption, though. Just ensure the data that goes over the wire is encrypted everywhere. This is very well achieved through the use of the HTTPS protocol.

The following diagram depicts the flow of a typical authentication and authorization mechanism in .NET monoliths:

In the preceding diagram, we can see that the user enters his or her username...

Security in microservices


Now let's look at the case of microservices. By nature, microservices are distributed systems. There is not a single instance of an application, rather, there are several distinct applications that coordinate with each other in harmony to produce the desired output.

Why traditional .NET auth mechanism won't work?

One of the possible approaches for microservice security might be this: we mimic the same behavior as that of the auth layer in a monolith. This could be depicted as follows:

In this approach, we distributed the auth layer and provided it to all the microservices. Since each one is a different application, it will need its own auth mechanism. This inherently means that the user credential store is also different for every microservice. This raises so many questions, such as how do we keep the auth in sync across all services? How can we validate inter service communication or are we skipping it? We do not have satisfactory answers to these questions. Hence...

Summary


The microservice architectural style being distributed by design gives us better options to protect valuable business critical system. Traditional .NET-based authentication and authorization techniques are not sufficient and cannot be applied to the microservice world. We also saw why secure-token-based approaches, such as OAuth 2.0 and OpenID Connect 1.0, are becoming de facto standards for microservice authorization and authentication. If you want to have more general information related to security, do visit Open Web Application Security Project (OWASP) at http://www.owasp.org and Microsoft Security development life cycle at https://www.microsoft.com/en-us/sdl/. Azure AD can very well support OAuth 2.0 and OpenID Connect 1.0. Azure API Management can also act as an API gateway in microservices' implementation and also provide nifty security features, such as policies.

Azure AD and Azure API management provide quite a few powerful capabilities to monitor and log the requests received...

lock icon
The rest of the chapter is locked
You have been reading a chapter from
Building Microservices with .NET Core
Published in: Jun 2017Publisher: PacktISBN-13: 9781785887833
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $15.99/month. Cancel anytime

Authors (3)

author image
Gaurav Aroraa

Gaurav Aroraa has done M.Phil in computer science. He is a Microsoft MVP, life time member of Computer Society of India (CSI), certified as a scrum trainer/coach, XEN for ITIL-F and APMG for PRINCE-F and PRINCE-P. Gaurav serves as a mentor at IndiaMentor, open source developer, contributor to TechNet Wiki co-founder of Innatus Curo Software LLC. In 19+ years of his career, he has mentored thousands of students and industry professionals. You can tweet Gaurav on his twitter handle @g_arora
Read more about Gaurav Aroraa

author image
Lalit Kale

Lalit Kale is a technical architect and consultant with more than 12 years of industry experience. Lalit has helped clients achieve tangible business outcomes through the implementation of best practices in software development. He is a practitioner of TDD and DDD, and a big believer in agile and lean methodologies. He has worked with several organizations, from start-ups to large enterprises, in making their systems successful, be it in-house or mission critical, with clients in the USA, the UK, Germany, Ireland, and India. His current interests include container technologies and machine learning using Python. He holds a bachelor's degree in engineering (IT).
Read more about Lalit Kale

author image
Manish Kanwar

Manish Kanwar completed his masters of science in computer applications from MD University, India, and is a cofounder of Innatus Curo Software LLC, with a presence in India. He has been working in the IT industry across domains for the last 17 years. He started exploring .NET right from the first release and has been glued to it ever since. His range of experience includes global wealth management (financial service industry, USA), life insurance (insurance industry, USA), and document management system (DMS), ECMS, India. Manish does his bit for the community by helping young professionals through the IndiaMentor platform.
Read more about Manish Kanwar