Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Microservices at API Gateway using Clo...

Abhisek Datta
June 06, 2020
Technology
1
390

Securing Microservices at API Gateway using Cloud Native Solutions

Authentication and authorization in a microservices environment is non-trivial to implement correctly. This becomes especially true when identity and authorization controls are distributed across different applications. There has been multiple cases where authorization controls implemented for one application was missed for another application with similar feature and data access resulting in a breach.

We present a solution along with a proof of concept implementation for the problem described above — To be able to perform authentication and authorization for microservices in the API Gateway itself.

Abhisek Datta

June 06, 2020
Tweet

More Decks by Abhisek Datta

See All by Abhisek Datta
Kubernetes from an Attacker's Perspective - fwd:CloudSec 2020
abhisek
0
390
Kubernetes 101 for Penetration Testers - null Mumbai
abhisek
6
3.8k
Kubernetes From an Attacker's Perspective
abhisek
4
7.1k
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
510
Application Security Workflow Automation using Docker and Kubernetes
abhisek
0
720
Towards Verifiable Infrastructure Security
abhisek
0
190
Your Internet Exposure the Makes You Vulnerable
abhisek
0
190
Towards Verifiable Infrastructure Security
abhisek
0
66
Mobile Appsec from an attacker's perspective
abhisek
0
500

Other Decks in Technology

See All in Technology
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
170
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.2k
Platform Engineering for Software Developers and Architects
syntasso
1
520
The Rise of LLMOps
asei
7
1.7k
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
130
The Role of Developer Relations in AI Product Success.
giftojabu1
0
140
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
430
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Thoughts on Productivity
jonyablonski
67
4.3k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
A designer walks into a library…
pauljervisheath
204
24k
BBQ
matthewcrist
85
9.3k
Building an army of robots
kneath
302
43k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k

Transcript

  1. Securing Microservices at API Gateway Using Cloud Native Solutions Abhisek

    Datta Head, Security Products Appsecco

  2. Nullcon Webinars

  3. About Me – Abhisek Datta • Head, Security Products (appsecco.com)

    • Application & Cloud Security • Kubernetes Cluster Security Assessments • TechWing @ null0x00 (null.co.in) • An Open Security Community • Security Researcher • Discovered vulnerabilities in enterprise software and credited with CVE • Open Source Contributor • https://github.com/abhisek @abh1sek

  4. 1. The need for centralized Authentication and Authorization 2. Understand

    the role of API Gateway as a Security Gate 3. Proof of Concept Implementation using Traefik as API Gateway and Open Policy Agent (OPA) for policy management and evaluation Key Take Away

  5. This is not an introduction to Microservices We will look

    at an approach for securing Microservices using API Gateway as a Security Gate Learn more about Microservices https://microservices.io/

  6. AuthN & AuthZ in Microservices Identity Provider Client Oauth2 +

    OIDC Reverse Proxy Identity (JWT) Services Authentication & Authorization Established Trust

  7. API Gateway How do the clients of a Microservices- based

    application access the individual services?

  8. 1. Authenticate a request 2. Authorize a request 3. Route

    the request to backend microservice AuthN and AuthZ in API Gateway

  9. • API Gateway • Traefik https://containo.us/traefik/ • Policy Management and

    Enforcement • Open Policy Agent https://www.openpolicyagent.org/ Our Choice of Technology

  10. What we want to achieve

  11. Demo • This is a minimal proof of concept implementation

    for demonstration • It should not be considered for production use as is.

  12. Let's look inside the code

  13. • Use as a reverse proxy • Use dynamic configuration

    discovery • Routing and Load Balancing • Middlewares • https://docs.traefik.io/ Learning Traefik API Gateway

  14. • Introduction to Open Policy Agent • https://www.openpolicyagent.org/docs/latest/ • Rego

    Playground • https://play.openpolicyagent.org/ • Running Open Policy Agent (Lib/Server/Interactive) • https://www.openpolicyagent.org/docs/latest/#running-opa • Open Policy Agent for Kubernetes Admission Control • https://www.openpolicyagent.org/docs/latest/kubernetes-introduction/ Learning Open Policy Agent

  15. • Proof of Concept Implementation • https://github.com/appsecco/opa-traefik-microservice-authz • Microservices Authorization

    using Open Policy Agent and Traefik (API Gateway) • https://blog.appsecco.com/microservices-authorization-using- open-policy-agent-and-traefik-api-gateway-ae30f3bf2846 Resources

  16. Questions? [email protected] That’s all for now.. https://appsecco.com @abh1sek github.com/abhisek