Cross-Service Authentication Mechanisms in Applications with Microservice Architecture
Abstract
In this article discussed cross-service authentication. It is one of the most important aspects of security in modern applications with microservice architecture. The basic mechanisms of service-to-service authentication, such as tokens and certificates usage, are represented in the article. An example of service-to-service authentication architecture is also given. The article is a useful resource for developers who are working in the field of service-oriented architecture and interesting in security issues. It provides an extensive overview of authentication mechanisms and key points to consider during designing a microservice architecture. The article proposes to use the mutual TLS (mTLS) protocol, which is the most popular way to secure cross-service communication during microservices deploying. In this approach the responsible for the cross-service authentication lies with the mTLS proxy deployed for each microservice of the system. mTLS proxies work as intermediaries between the microservices, accepting requests for a secure communication channel establishment. The proxy approach simplifies the authentication process between two microservices, that can run on different platforms, by using different protocols and data formats. By using the mTLS proxy, the solution is easy to scale, because it is enough to deploy a new instance of the mTLS proxy in case of new microservices appearing in the system. Also, the proxy does not depend on the language or system implementing an associated microservice, which makes the solution universal.
Full Text:
PDF (Russian)References
Dragoni, N., Giallorenzo, S., Lafuente, A.L., Mazzara, M., Montesi, F., Mustafin, R. and Safina, L., 2017. Microservices: yesterday, today, and tomorrow. In Present and Ulterior Software Engineering (pp. 195-216)
Zheng, D. Y. (2018). A survey on security issues in services communication of Microservices-enabled fog applications. John Wiley & Sons, Ltd.
Kai Jandera, Lars Braubachb, Alexander Pokahr. (2018). Defense-in-depth and Role Authentication for Microservice Systems. Procedia Computer Science, 456-463.
Nacha Chondamrongkul, Jing Sun, Ian Warren. (2020). Automated Security Analysis for Microservice Architecture. IEEE International Conference on Software Architecture Companion.
Peter Nkomo, Marijke Coetzee. (2019). Software Development Activities for Secure Microservices. В Computational Science and Its Applications – ICCSA 2019 (стр. 573-585). Springer Nature Switzerland AG 2019.
Ali Rezaei Nasab, Mojtaba Shahin, Seyed Ali Hoseyni Raviz, Peng Liang, Amir Mashmool, Valentina Lenarduzzi. (2022). An empirical study of security practices for microservices systems. The Journal of Systems & Software.
Nadareishvili, I., Mitra, R., McLarty, M. and Amundsen, M., 2016. Microservice Architecture: Aligning Principles, Practices, and Culture. " O'Reilly Media, Inc.".
Indrasiri, K. (2019). Microservice in Practice - Key Architectural Concepts of an MSA.
Chandramouli, R. (б.д.). Security Strategies for Microservices-based Application Systems. 2019: NIST Special Publication 800-204.
Soonhong Kwon, Sang-Jin Son, Yangseo Choi, Jong-Hyouk Lee. (2021). Protocol fuzzing to find security vulnerabilities of RabbitMQ. Special Issue: Convergence of cloud, Internet of Things, and big data: New platforms and applications (FiCloud2019). Transformative computing in security, big data analysis, and cloud computing applications (Transformative2020), Volume33, Issue23.
Kamppuri, T. (2014). MESSAGE BROKERS AND RABBITMQ IN ACTION.
Prabath Siriwardena and Nuwan Dias. (2020). Microservices Security in Action. New York : Manning Publications Co.
Evan Gilman and Doug Barth. (2017). Zero Trust Networks: Building Secure Systems in Untrusted Networks. Sebastopol: O’Reilly Media, Inc.
Siriwardena, P. (2014). Mutual Authentication with TLS. In P. Siriwardena, Advanced API Security (pp. 47-58). Maharagama, Sri Lanka: Apress Berkeley, CA.
M. Jones, J. Bradley, N. Sakimura. (2015). RFC 7519: JSON Web Token (JWT). Internet Engineering Task Force (IETF).
Carlisle Adams, Steve Lloyd. (2003). Understanding PKI: Concepts, Standarts, and Deployment Considerations. Boston: Pearson Education, Inc.
Refbacks
- There are currently no refbacks.
Abava Кибербезопасность IT Congress 2024
ISSN: 2307-8162