Microservices security & tracking

Security:

• AAA: Authentication, Authorization, Accounting/Auditing
• Secure interprocess communication (TLS)

Security frameworks:

• PassportJS: NodeJS security framework on Authentication
• Spring Security/Apache Shiro: Java frameworks for Authentication/Authorization

Authentication security context:

• In-memory: Can be used within the same process.
• Centralized session: Session stored externally such as in a database. Eg: API token for use with an API gateway with an Authentication service.

Authorization:

• Opaque tokens such as UUIDs. Reduce performance, availability & increase latency.
• Transparent token. Eg: JWT: JSON Web Token is a popular standard. Since self-contained, irrevocable, hence needs short expiration times & reissuals.
• OAuth 2.0: Has an Authorization Server for an access token & refresh token. Eg framework: Spring OAuth internally using JWTs.

Externalized configuration:

• Push model: Push config props to service. Eg: Spring Boot.
• Pull model: Service reads from config server. Eg: Databases, version control systems or configuration servers.

Storing sensitive data with credentials using configuration servers:

Centralized config, transparent decryption, dynamic reconfig.

• Hashicorp Vault
• AWS Parameter Store
• Spring Cloud Config Server

Observing & Tracking:

• Health check API
• Log aggregation: Centralized logging system such as ELK (ElasticSearch, Logstash, Kibana), Fluentd, Apache Flume, AWS CloudWatch.
• Distributed tracing: trace id that flows between services. Common standard for trace id: Zipkin B3 propagation standard. Aspect Oriented Programming libraries that auto-log such as Spring Cloud Sleuth. Distributed tracing servers such as Twitter's Zipkin (using a database supporting http or a message broker) or AWS X-ray.
• Exception tracking. Eg: Exception tracking services such as Honeybadger (cloud-based), Sentry.io (open-source & deploy in-house).
• Application metrics: Eg: Micrometer Metrics for collection. AWS Cloudwatch metrics is a push model service. Prometheus (open-source) is a pull model service with data visualization tool: Grafana.
• Audit logging

Robustness:

• Handle failure with network timeouts, limit requests & a circuit breaker (fail all requests if many requests start failing).
• Frameworks: Netflix Hystrix (JVM), Polly (.NET).

Chassis/Mesh:

• Microservice chassis: Framework or set of frameworks to address common requirements. Eg: Spring Boot, Spring Cloud, Go Kit. But language specific.
• Service mesh: Networking infrastructure mediator that simplifies Chassis. Eg: Linkerd, Istio, Conduit.

Istio Service Mesh features:

• Traffic management: Service discovery, load balancing, routing rules, circuit breakers.
• Security: TLS
• Telemetry: Network traffic metrics, distributed tracing
• Policy enforcement: quotas & rate limits

Service Mesh Control Plane:

• Pilot: Configures Envoy proxies & data plane based off deployed services. Envoy proxy is performant & supports multiple protocols (tcp, http, https, MongoDB, Redis, DynamoDB), TLS & other interservice features like auto-retires, rate limiting & circuit breakers. Envoy is a sidecar container within the service's pod.
• Mixer: Collects telemetry from Envoy proxies & enforces policies.

Source: Microservices Patterns by Chris Richardson