Enterprise Security as Microservice – A Key Digital Transformation Step to Reuse the Security Investments

This article is intended to provide an architecture and design point of view on transforming your legacy enterprise security investment as Microservice and enable the security as service capability within your digital application landscape deployed to the next generation container farm using the commonly available open source technology frameworks and Microservice architecture guidelines.

This article is going to apply the following sequential story flow

1.      Address the concerns and establish a case

2.      Baseline the concept requirements

3.      Ideate the concept using a solution approach

4.      Close the talk with a final note

Security Concerns in the Microservice Based Digitally Transformed Application Landscape

Business has invested millions of dollar and thousands of hours of experienced manpower to establish the security as an enterprise asset. Enterprise security is one the mission-critical capability of the company in protecting the core business assets and the customer data.

As we move forward with the digital transformation of the enterprise applications, we wanted to make sure the security is a critical consideration to ensure the program success. Digitally transformed applications are stateless or even in server-less in nature. They are based on Microservice architecture principle and run in virtualized infrastructure containers. Microservice applications are micro in nature [single responsibility principle] of the exposed functionality. Microservices expose their functionality as stateless APIs, they build their computational context based on the consumer initiated API calls or the events consumed via their dump pipe interfaces.

Business processes orchestrated using Microservice architecture has to be executed in a stateless collaborative mode using the API collaborations approach – mean execute each step of the business process by invoking the APIs of the exposed Microservice functionality.

In order for the Microservice to trust and process the consumer request, it should have access to the consumer’s security identity as a portable container which can be received as part of the functional request and should be exchanged between the services during the stateless API collaboration.

Extending the enterprise security to the microservice farm in microservice form is an essential early step we have to consider for our digital transformation. So let us define some of the security transformation requirements to make it fit for the microservice based application landscape.

The Requirements In a Nutshell

In order for us to successfully extend the enterprise security capability to the microservice farm, we need to transform the enterprise security as a microservice enabled capability so that digital consumers and microservice based business process orchestration can access the security function as APIs. The transformed security service should provide the basic security functions such as authentication and authorization and the following extract capability to support the security considerations of the end-to-end business process flows in the digital context.

1.      Support the integration with all the existing security store and protocols using a pluggable integration architecture. Reusing the existing enterprise security investment is a mission-critical success factor.

2.      Support the integration with any new security store using a pluggable integration architecture. Extensibility is a good ROI

3.      Support the integration with a security service data store to extend the authorization data specific to the microservice applications. This will help to customize the authorization data at the microservice level without bugging the legacy security stores.

4.      Deliver the authenticated security context as a portable, encrypted, stateless entity, which can be received by the digital consumers as a security token and can be used by the digital consumers to invoke digitally exposed products and services.

5.      Support the verification of the ported security context so that business Microservices can assert the verification of the portable security context they have received via the API invocation before executing the business functionality for the digital consumer and ensure the right authentication and authorization of the consumer to access business functionality and the associated data.

The Concept

Let us see whether we can put together the concept in a simple diagram and minimum flow. 

The diagram above shows the conceptual transformation of the enterprise security as microservice and the integration of the same capability to enable the secured consumption of the digitally exposed products and services.

The sequential flow-1 demonstrates the execution of a digital consumer security context verification using supported authentication mechanism and creating a portable stateless, encrypted security context.

The sequential flow 2 demonstrates the consumption of digitally exposed business products and services by the authentication digital consumer. The second flow also demonstrates how the API based Microservice composition work together with the portable security context to execute the business processes associated with the digital products and services.

The Solution Realization

Let us try to put together the solution. In order for us to demonstrate the solution realization we are going to use some of the proven open source technology frameworks as explained below.

1.      Establish the API gateway as a front-end firewall framework to protect the access to the business services.

2.      Establish the gateway service using spring boot based gateway Microservice approach

3.      Extend the gateway functionality to filter the security and business service invocations by the digital consumers using gateway and filter patterns.

4.      Establish the security Microservice using the spring security framework.

5.      Enable the security service to support the numerous security protocols such as SAML, LDAP, AUTH2 and KERBEROS to cover current and future security provider’s requirements

6.      Use the JWT token framework to deliver the authenticated security context as a portable, encrypted entity

7.      Enable the business service requirements using spring boot and .NET core frameworks and provide the flexibility of technology choices in Microservice based application transformation.

8.      Externalize the configuration using a config service and implement the same using spring boot framework.

9.      Extend the security context verification as a service to service collaboration functionality between the business services and the security service.

10.  Deploy the whole solution to a DOCKER based container farm for the scalability and availability.

The diagram below provides the solution relation details using the above mentioned open source frameworks.

The solution flow is composed of the following details and notations

Solution ROI and TCO

Let us look into some of the ROI and TCO factors of this solution

1. Reuse of the enterprise assets
2. Low-cost implementation
3. Scalable and extensible

Final Note

Digital transformation is not the PPT or youtube video talk. It is all about transforming the business for tomorrow’s digital channel and the competitive market. The only way to achieve digital transformation is by transforming your core business applications using next-generation technology capability so that your products and services can be enabled across all the digital channels throughout the worldwide market. You current security investment is the result of decades-old effort, extending the current security asset to the digital landscape is one of the core success factors of your digital transformation program. Today, open source technologies help us to achieve such mission-critical transformation steps without spending a lot of money. Be real and achieve the digital transformation using digital engineering projects based on the open architecture and next-generation technologies and stop talking the repeated fancy words.