Cloud Native Blog - Container Solutions

Microservice Insecurity

Written by Sam Newman | Jul 5, 2017 4:18:24 AM

So here's the thing. Microservices are everywhere right now. You see them mentioned at talks, they have their own conferences, vendors are tripping over themselves to brand their products 'microservice ready'. Beneath this hype lies a useful architectural style - not a universal cure for all ills.

Microservice architectures can provide a number of benefits. Increasing autonomy of teams, helping ship software faster, handling scale more efficiently than other architectures, and making it much easier to adopt new technology. But it all comes with a cost.

Both in my book and in subsequent talks, I have attempted to bring the downsides associated with microservice architectures to the fore, so they can be better understood and addressed. Fundamentally, microservice architectures are just a form of distributed system, so all the associated challenges come along for the ride - CAP, distributed transactions, diverging clocks, breaking contracts. Microservices also though exist in a world where the technology landscape is also rapidly changing, so people also have to wade through a myriad number of different options for how they handle deployment, testing, monitoring, service communication and more.

Ultimately this is why I have tried to consistently talk about adopting microservices as being a trade off - they bring some great things to to the table, but they bring a lot of baggage too. Without understanding both the pros and the cons, you're not going to be able to make a rational decision regarding whether or not they are right for you.

In the arena of security, microservices bring some powerful benefits. The ability to isolate execution of different processes, and isolate the data used in these processes, give you the ability to apply defence in depth for your systems, theoretically making them more secure than their monolithic counterparts. But at the same time a move to a microservice architecture can increase the surface area of attack. Understanding this tradeoff is becoming increasingly important, especially as people become more and more aware of the importance of building secure systems.

As I've spoken to teams across the world over the past few years, it's become clear to me that as an industry, we all too often push security concerns out of our minds, and assume the security can just be "added later" by some experts. The reality is that with a microservice architecture that having a basic understanding of application security principles is key to making the right architectural choices.

It's due to this that I have spent more time trying to articulate a base level of application security that I think is important for developers and architects to have when building a microservice architecture. I'm going to be exploring this topic in more detail in a webinar tomorrow, and after that joining forces with Adrian Mouat to deliver public courses in both Amsterdam and London over the coming months. I hope you can join me!