Security Strategies for Microservices-based Application Systems

Published: August 07, 2019

Author(s)

Ramaswamy Chandramouli

Abstract

Microservices architecture is increasingly being used to develop application systems since its smaller codebase facilitates faster code development, testing, and deployment as well as optimization of the platform based on the type of microservice, support for independent development teams, and the ability to scale each component independently. Microservices generally communicate with each other using APIs, which requires several core features to support complex interactions between a substantial number of components. These core features include authentication and access management, service discovery, secure communication protocols, security monitoring, availability/resiliency improvement techniques (e.g., circuit breakers), load balancing and throttling, integrity assurance techniques during induction of new services, and handling of session persistence. Additionally, the core features could be bundled or packaged into architectural frameworks such as API gateways and service mesh. The purpose of this document is to analyze the multiple implementation options available for each individual core feature and configuration options in architectural frameworks, develop security strategies that counter threats specific to microservices, and enhance the overall security profile of the microservices-based application.
Citation: Special Publication (NIST SP) - 800-204
Report Number:
800-204
Pub Type: NIST Pubs

Keywords

microservices, load balancing, circuit breaker, Application Programming Interface (API), API gateway, service mesh, proxy
Created August 07, 2019, Updated August 07, 2019