Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Microservices at API Gateway using Clo...

Abhisek Datta
June 06, 2020
Technology
1
390

Securing Microservices at API Gateway using Cloud Native Solutions

Authentication and authorization in a microservices environment is non-trivial to implement correctly. This becomes especially true when identity and authorization controls are distributed across different applications. There has been multiple cases where authorization controls implemented for one application was missed for another application with similar feature and data access resulting in a breach.

We present a solution along with a proof of concept implementation for the problem described above — To be able to perform authentication and authorization for microservices in the API Gateway itself.

Abhisek Datta

June 06, 2020
Tweet

More Decks by Abhisek Datta

See All by Abhisek Datta
Kubernetes from an Attacker's Perspective - fwd:CloudSec 2020
abhisek
0
390
Kubernetes 101 for Penetration Testers - null Mumbai
abhisek
6
3.8k
Kubernetes From an Attacker's Perspective
abhisek
4
7.1k
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
510
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
710
Towards Verifiable Infrastructure Security
abhisek
0
180
Your Internet Exposure the Makes You Vulnerable
abhisek
0
190
Towards Verifiable Infrastructure Security
abhisek
0
66
Mobile Appsec from an attacker's perspective
abhisek
0
500

Other Decks in Technology

See All in Technology
【若手エンジニア応援LT会】AWS Security Hubの活用に苦労した話
kazushi_ohata
0
170
20241031_AWS_生成AIハッカソン_GenMuck
tsumita
0
110
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
3
210
Datachain会社紹介資料(2024年11月) / Company Deck
datachain
3
16k
ネット広告に未来はあるか?「3rd Party Cookie廃止とPrivacy Sandboxの効果検証の裏側」 / third-party-cookie-privacy
cyberagentdevelopers
PRO
1
130
話題のGraphRAG、その可能性と課題を理解する
hide212131
4
1.5k
新R25、乃木坂46 Mobileなどのファンビジネスを支えるマルチテナンシーなプラットフォームの全体像 / cam-multi-cloud
cyberagentdevelopers
PRO
1
130
国土交通省 データコンペ参加者向け勉強会
takehikohashimoto
0
120
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
9
120k
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
1
630
プロダクトエンジニアが活躍する環境を作りたくて 事業責任者になった話 ~プロダクトエンジニアの行き着く先~
gimupop
1
480
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170

Featured

See All Featured
Code Reviewing Like a Champion
maltzj
519
39k
Building Your Own Lightsaber
phodgson
102
6.1k
A Tale of Four Properties
chriscoyier
156
23k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Building Adaptive Systems
keathley
38
2.2k
Being A Developer After 40
akosma
86
590k
How GitHub (no longer) Works
holman
311
140k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Navigating Team Friction
lara
183
14k
Teambox: Starting and Learning
jrom
132
8.7k
Side Projects
sachag
452
42k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
167
49k

Transcript

  1. Securing Microservices at API Gateway Using Cloud Native Solutions Abhisek

    Datta Head, Security Products Appsecco

  2. Nullcon Webinars

  3. About Me – Abhisek Datta • Head, Security Products (appsecco.com)

    • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek

  4. 1. The need for centralized Authentication and Authorization 2. Understand

    the role of API Gateway as a Security Gate 3. Proof of Concept Implementation using Traefik as API Gateway and Open Policy Agent (OPA) for policy management and evaluation Key Take Away

  5. This is not an introduction to Microservices We will look

    at an approach for securing Microservices using API Gateway as a Security Gate Learn more about Microservices https://microservices.io/

  6. AuthN & AuthZ in Microservices Identity Provider Client Oauth2 +

    OIDC Reverse Proxy Identity (JWT) Services Authentication & Authorization Established Trust

  7. API Gateway How do the clients of a Microservices- based

    application access the individual services?

  8. 1. Authenticate a request 2. Authorize a request 3. Route

    the request to backend microservice AuthN and AuthZ in API Gateway

  9. • API Gateway • Traefik https://containo.us/traefik/ • Policy Management and

    Enforcement • Open Policy Agent https://www.openpolicyagent.org/ Our Choice of Technology

  10. What we want to achieve

  11. Demo • This is a minimal proof of concept implementation

    for demonstration • It should not be considered for production use as is.

  12. Let's look inside the code

  13. • Use as a reverse proxy • Use dynamic configuration

    discovery • Routing and Load Balancing • Middlewares • https://docs.traefik.io/ Learning Traefik API Gateway

  14. • Introduction to Open Policy Agent • https://www.openpolicyagent.org/docs/latest/ • Rego

    Playground • https://play.openpolicyagent.org/ • Running Open Policy Agent (Lib/Server/Interactive) • https://www.openpolicyagent.org/docs/latest/#running-opa • Open Policy Agent for Kubernetes Admission Control • https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/ Learning Open Policy Agent

  15. • Proof of Concept Implementation • https://github.com/appsecco/opa-traefik-microservice-authz • Microservices Authorization

    using Open Policy Agent and Traefik (API Gateway) • https://blog.appsecco.com/microservices-authorization-using- open-policy-agent-and-traefik-api-gateway-ae30f3bf2846 Resources

  16. Questions? [email protected] That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek