How Microservices are Changing the Security Landscape
Loading...
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu |
Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.
Author
Date
2020-12-14
Department
Major/Subject
Security and Cloud Computing
Mcode
SCI3084
Degree programme
Master’s Programme in Computer, Communication and Information Sciences
Language
en
Pages
vi + 67
Series
Abstract
The microservice architecture is an architectural style that structures an application as a collection of fine-grained, self-contained, single-purpose, independently deployable services. Being a young architecture style and a still-evolving one, all aspects of the microservice architecture have not yet been thoroughly analysed in academic literature, especially compared to the fair amount of professional literature that exists on the subject. Hence, the grey literature provides a valuable resource for understanding the microservice architecture and gaining insight into current practices. Practitioners adopt the microservice architecture to tackle the problems of the monolithic architecture, including security issues. However, the microservice architecture is not a silver bullet and brings its own challenges. Adopting the microservice architecture changes the way security needs to be approached. Microservices have very particular security needs, different from those of a monolithic application, that must be accommodated. This thesis explores these needs and looks into strategies for satisfying them. Both the edge of the microservice application and the communication between microservices within the application need to be secured. Securing the application at the edge should not cause developers to downplay the importance of securing each microservice at the service-level and working towards adopting zero-trust security principles, which evidently gain popularity in the industry. In the thesis, we discuss end-user and service-to-service access control both at the edge of the deployment and the edge of the service. Finally, we describe the first step of the incremental process of migrating a monolithic application securely to microservices. We apply the strangler fig migration pattern and extract the identity microservice from the monolith. We evaluate the security of the resulting architecture based on the discoveries presented in the earlier chapters of the thesis.Description
Supervisor
Aura, TuomasThesis advisor
Bufalino, JacopoKeywords
microservices, security, access control, zero trust, trust engineering, DevSecOps