What It Requires to Secure APIs for Microservices
Both APIs and microservices play a key role in cloud native environments. Microservices serve as the cornerstone of distributed and shared computing resources. At the same time, APIs serve as a very efficient way to streamline many operations and development tasks from DevOps teams.
However, both microservices and APIs carry with them their own security risks. All it takes is for one compromised Kubernetes node to allow for an intruder to gain root access through an API to an organization’s entire container infrastructure across multiple clusters (a worst-case scenario).
In this episode of The New Stack Makers podcast, we look at how to both secure microservices with APIs and how to rely on APIs to delegate certain security tasks to a trusted third party. Our guest is Viktor Gamov, principal developer advocate for Kong, an API-connectivity company. The episode is hosted by Alex Williams, TNS founder and publisher, and Bharat Bhat, marketing lead, developer relations, Okta.
Gamov likened securing APIs to ships transporting cheese from one port to another. The security checks include making sure that the cheese is indeed cheese — and not contraband — and monitoring the routes to check that the designated ship will arrive at the right port.
For security management, an API gateway for microservices can allow for a DevOps team member to declaratively enable only some plugins and some integrations, such as for Layer 7 communications, Gamov explained. More specifically, this API-managed functionality might cover application level protocols like HTTP, HTTPS or gRPC.
“You need to have some sort of secure channel or pathway” that prevents someone from accidentally disrupting or stealing microservices data, Gamov said.
Securing the API gateways involves protecting data in route between endpoints. This is “how we can ensure that someone who’s logged into our system is who they say they are,” Gamov said.
The management of identity access can both be allocated to a third-party security API provider that in turn can help to control and verify access to different APIs in microservices environments. “We can offload some of the work to Identity Providers [IdPs]” so developers don’t have to manage this process, Gamov said.
To use the cheese analogy again, an identification service can check that an API is “bringing Parmesan cheese.” “This is where we’re checking everything, like can you bring this department…Roquefort cheese, gouda cheese or some other things,” Gamov said. “So, this is where we are expanding it [to determine] what you can do with this system.”