Microservices are small, containerized application services that perform a single task or a small group of related tasks — unlike traditional, monolithic applications that handle a broad range of tasks. And they are transforming the business application world in ways that are almost entirely positive.
For developers, these tools speed up development and deployment. For end users, they offer performance and flexibility; a microservice can be updated or even replaced by a new one with minimal impact on the rest of the application functionality that it supports.
But this speed, power and flexibility comes with security complications that are transforming the application security landscape. Security managers for both developers and end users need to be aware of these complications and plan for them in advance to ensure secure applications and services.
More Surface Area to Attack
As Serdar Yegulalp pointed out at InfoWorld, microservices transform the application security landscape in two fundamental and related ways. First, they communicate via application programming interfaces (APIs) that are independent of machine architecture and even programming language. As a result, they have much more exposed surface than traditional subroutines or functionalities of a large application, which only interacted with other parts of the same application. Therefore, they are exposed to more potential attacks.
DevOps Comes to Security
Moreover, microservices are transforming the development process — accelerating the trend toward DevOps, the blending of application development and operations. Because they are microscaled, they can be built or modified quickly, which is one of the keys to their flexibility. Gone are the days when a new or upgraded application went through months or even years of successive alpha and beta testing before being released to the world.
But the end result is that their security features are not subject to prolonged development testing. To prevent this from becoming a problem, microservices security needs to be ensured throughout the development process.
Application Security Following the Path of Network Security
In the big picture, the impact of microservices on application security has much in common with the transformation of network security in the last decade. Formerly, local networks had only a few connections to the outside world, and securing those endpoints was sufficient; today, with networks having a multitude of entry points, endpoint protection is only the starting point of network security, not the be-all and end-all.
In the same way, applications that are built out of microservices cannot be protected simply by securing their explicit input and output functionalities. These remain crucial, but the security microservices and their APIs must also be ensured. This can be a challenge.
Building in Security From the Start
The good news is that microservices and DevOps simply emphasize a basic and longstanding principle of good security design: Security needs to be built in from the outset, not simply bolted on as an afterthought. The best development teams have always taken security into account as integral to the architecture, and this best practice is now even more of a necessity.
Likewise, end users of services or applications built from microservices cannot regard security as one more line to check off. It needs to be part of the lens through which users view every tool they consider using. Developers and end users that keep these basic principles of application security in mind will benefit from the speed and flexibility of microservices without discovering hidden security flaws the hard way.