MICROSERVICES ASSIGNMENT

2
NAME
COUSECODE
LECTURER NAME
Contents
1. Introduction.........................................................................................................................................2

2.1 Security Challenges of Microservices.....................................................................................................2

2.2 Privacy Issues....................................................................................................................................3

2.3 Reasons of Microservices Security and Privacy Problems.................................................................3

2.5 Microservices Security Benefits for Financial Organizations.............................................................5

Conclusion...................................................................................................................................................5

References...................................................................................................................................................5

1
 1. Introduction
The purpose of the assignment is to analyze the privacy and security aspects of Microservice
architecture. Microservices architecture provides many benefits as compare to monolithic architecture,
however, it privacy and security is often compromised while considering its other benefits. IT provides
faster development and deployment, easy scaling, and platform independent development of different
services, however, there are many security and privacy aspects which needs to be addressed. DevOps
helps to test the system as it is developed, but the quick development and deployment still needs
further security aspects to be tested, if the number of services are more (Verona, 2016).

The report will first define various security challenges that comes with the microservices architecture.
Some of these are multicloud deployment, and multiple access points, centralized management, and
DevOps challenges. Microservices are deployed as cloud services, and an example of how cloud
providers ensures privacy of data is given. There are many mitigation techniques to ensure security and
minimize risks such as using standard protocols, multiple firewall techniques and their centralized
management, and managing security concerns with deploying the containers.

2.1 Security Challenges of Microservices

Some specific challenges of microservices architecture as compare to other monolithic and software
architectures are:

1. Multicloud Deployment: As Microservice architecture are mostly cloud-based system, due to

security reasons, many organization go for multi-cloud strategy, that is, part of system is loaded
on public cloud and more confidential on private cloud. This increases risks of losing control and
management of applications.
2. Isolation of Services: As all the services are loosely coupled and works on principles of
communications through some APIs and other mechanism, the concept of loosely coupled often
makes the security testing skipped. The elimination of the cross-service communication testing
many security and integration problems in the future (Saito, Lee & Wu, 2019).
3. Multiple users and Access Control: The Microservice system must have an administrative
interface which can help solve the entry point’s problem for different types of users. That is the
access control needs to be regulated for all types of users. A single access point must be present
for the administrator to manage all users, services, databases, and APIs (Familiar, 2015).

2
 4. Data Management: During running and execution of microservices architecture based system,
data is generated, moved between different locations, stored in different places, and
continuously interacted with and by some other service, or internally. To avoid breaches
managing all this is challenge. Despite of strong loose coupling and security measures, data
breaches can happen. Malicious users have capabilities to break through the private data paths
("The Top 5 Challenges of Microservices Security", 2020).
5. The quick increments and developed solutions: Microservices are based on small service and
independent service both in terms of functioning and development teams. This make quick
iterative and incremental development and it is necessary to ensure new sets of vulnerabilities
and attacks when new increment comes. Security testing must be continuously performed to
make the service secure and this is the reason why DevOps is used simultaneously with
microservices architecture (Saito, Lee & Wu, 2019).

2.2 Privacy Issues

Privacy is one of the main component when designing the software irrespective of type of architecture.
It is defined as condition or state of hiding the presence or view. It includes End to End security and is
involved in complete software development cycle, starting from collection of data to destruction of all
the processes. The privacy state should be attained where confidential and important data is kept. In
microservices, privacy is require in attaining data, user identity, and controls. Often microservices are
deployed on cloud and that involves multiple identity providers, and Service providers. Strong privacy
mechanisms are required to manage private data. The cloud providers normally provides three option to
the customers to select from, which defines different levels of security for example encryption method
which helps them to choose the key and store it in their choice of place ("Overcoming Data Security
Challenges in a Hybrid, Multicloud World", 2020). The developers must ensure the authentication and
authorization process also, as in cloud based system, this part lies with the cloud provider, and not
considering it can lead to serious leaks ("Overcoming Data Security Challenges in a Hybrid, Multicloud
World", 2020).

2.3 Reasons of Microservices Security and Privacy Problems

The very first reason of security and privacy problems in the Microservices architecture is the large
number of small services interacting through APIs. As these are independent of system architecture and
programming languages, more chances of attack increases. When microservices are broken down into

3
smaller pieces, security issues tracing is difficult. Moreover, when new microservices are added, the new
language which used to develop the new services, questions the security and privacy issue.

Different microservices are distributed, stateless, and independent, the number of logs is higher. It is
difficult to manage higher number of logs, as Microservice run from multiple host, sending all those logs
to single centralized system. This sending of logs requires correlating events from multiple and
potentially different platforms ("Security challenges presented by microservices", 2020).

Fault tolerance in microservices can also lead to security problems and when multiple services fail,
coping with service failures and other timeouts can lead to serious problems. There is need to ensure
stability across the services, and a centralized Microservice which can control such problem is required
(Bala & Chana, 2020).

To provide security and mitigate different risks following are essential points:

1. To solve the user identity and access control, only standard set of protocol should be used,
instead of developing own control mechanisms. OAuth and OAuth2 ("Differences Between
OAuth 1 and 2 - OAuth 2.0 Simplified", 2020) are industry standard for these purposes. The
standard libraries and platforms will help in development phase. Some addition tools to further
enhance the security that are used with OAuth are also available.
2. Other mitigation technique is to use API gateway which makes only one entry point for request
coming from multiple clients, making further separate interface for each Microservice request. A
Separate firewall is also used with microservices with centralized control making the system
more secure ("Security", 2020).
3. The use of containers and tools like kubernetes also comes with various security challenges. If a
threat or breach is detected after deployment, it becomes difficult to replace the container or
kubernetes. To overcome this problem, many practical implementers of such system suggest
implementing security measures at each lifecycle event like build, deploy, and run. Some other
mitigation techniques are using less components and services, use of up to date tools, and
adopting best practices during deployment ("Security", 2020). The best practices of deployment
phases are considering what is being deployed, how to deploy, where to deploy, and how it will
be accessed. Kubernetes is the highest secure tool, which can help built robust security features.
Slow and controlled development and providing DevOps team with all required staff and

4
 resources are some of important mitigation strategies for secure Microservice architecture, as
DevOps teams are often understaff and resources.

2.5 Microservices Security Benefits for Financial Organizations

Financial sector is benefitted by microservices in many ways such as fast development, smaller failure
footprint, quick response to customers, and easier to scale. Beside these, if security problems are
mitigated properly, shifting to microservices is very essential as many platforms like PayPal is
successfully working through microservices architecture. Financial services must concentrate on design
of APIs and implementation of containers to make their system more secure.

Conclusion
The security of microservices starts with ensuring microservices are well defined, documented, and
using standardized protocols for API implementation. The secure API and well defined firewalls access
points guarantees the security of microservices. Specific security mechanisms are not required for
microservices, however, the important thing is understanding the who requires access and why accesses
are required, that is creating appropriate authentication and access management system. To conclude,
to make microservices secure, the only important thing is to follow best practices for developing and
deploying microservices architecture. The development team must adopt security measure at each
phase to ensure security and privacy between the services, API calls, and during deployment of the
microservices.

References
Bala, A., & Chana, I. (2020). Retrieved 24 November 2020, from http://www.ijcsi.org/papers/IJCSI-9-1-1-
288-293.pdf
Differences Between OAuth 1 and 2 - OAuth 2.0 Simplified. (2020). Retrieved 24 November 2020, from
https://www.oauth.com/oauth2-servers/differences-between-oauth-1-2/
Familiar, B. (2015). Microservices, IoT, and Azure. Berkeley, CA: Apress.
Overcoming Data Security Challenges in a Hybrid, Multicloud World. (2020). Retrieved 24 November
2020, from https://securityintelligence.com/posts/overcoming-data-security-challenges-hybrid-
multicloud-world/
Saito, H., Lee, H., & Wu, C. (2019). DevOps with Kubernetes. Birmingham: Packt Publishing Ltd.
Security. (2020). Retrieved 24 November 2020, from https://kubernetes.io/docs/concepts/security/
Security challenges presented by microservices. (2020). Retrieved 24 November 2020, from
http://techgenix.com/security-challenges-presented-microservices/

5
The Top 5 Challenges of Microservices Security. (2020). Retrieved 23 November 2020, from
https://www.neuralegion.com/blog/the-top-5-challenges-of-microservices-security/
Verona, J. (2016). Practical DevOps.