Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Warning Notice
The attached draft document has been withdrawn, and is provided solely for historical purposes.
It has been superseded by the document identified below.
Superseding Document
Status Final
DOI https://doi.org/10.6028/NIST.SP.800-204
7
8
9
10 Ramaswamy Chandramouli
11
12
13
14
15
16
17
18
19
20
21 This publication is available free of charge from:
22 https://doi.org/10.6028/NIST.SP.800-204-draft
23
24
25
26
27 C O M P U T E R S E C U R I T Y
28
29 Draft NIST Special Publication 800-204
30
31
32
57
58
59
60 U.S. Department of Commerce
61 Wilbur L. Ross, Jr., Secretary
62
63 National Institute of Standards and Technology
64 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
65
66 Authority
67
68 This publication has been developed by NIST in accordance with its statutory responsibilities under the
69 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law
70 (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including
71 minimum requirements for federal information systems, but such standards and guidelines shall not apply
72 to national security systems without the express approval of appropriate federal officials exercising policy
73 authority over such systems. This guideline is consistent with the requirements of the Office of Management
74 and Budget (OMB) Circular A-130.
75 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory
76 and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these
77 guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,
78 Director of the OMB, or any other federal official. This publication may be used by nongovernmental
79 organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would,
80 however, be appreciated by NIST.
81
82 National Institute of Standards and Technology Special Publication 800-204
83 Natl. Inst. Stand. Technol. Spec. Publ. 800-204, 41 Pages (March 2019)
84 CODEN: NSPUE2
85
86 This publication is available free of charge from:
87 https://doi.org/10.6028/NIST.SP.800-204-draft
88
89 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
90 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
91 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best
92 available for the purpose.
93 There may be references in this publication to other publications currently under development by NIST in accordance
94 with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies,
95 may be used by federal agencies even before the completion of such companion publications. Thus, until each
96 publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For
97 planning and transition purposes, federal agencies may wish to closely follow the development of these new
98 publications by NIST.
99 Organizations are encouraged to review all draft publications during public comment periods and provide feedback to
100 NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at
101 https://csrc.nist.gov/publications.
102
103 Public comment period: March 25, 2019 through April 26, 2019
104
105 National Institute of Standards and Technology
106 Attn: Computer Security Division, Information Technology Laboratory
107 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
108 Email: sp800-204-comments@nist.gov
109
110 All comments are subject to release under the Freedom of Information Act (FOIA).
111
i
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
112
113 Reports on Computer Systems Technology
114
115 The Information Technology Laboratory (ITL) at the National Institute of Standards and
116 Technology (NIST) promotes the U.S. economy and public welfare by providing technical
117 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test
118 methods, reference data, proof of concept implementations, and technical analyses to advance the
119 development and productive use of information technology. ITL’s responsibilities include the
120 development of management, administrative, technical, and physical standards and guidelines for
121 the cost-effective security and privacy of other than national security-related information in
122 Federal information systems. The Special Publication 800-series reports on ITL’s research,
123 guidelines, and outreach efforts in information system security, and its collaborative activities with
124 industry, government, and academic organizations.
125
126
127 Abstract
128
129 Microservices architecture is increasingly being used to develop application systems since its
130 smaller codebase facilitates faster code development, testing, and deployment as well as
131 optimization of the platform based on the type of microservice, support for independent
132 development teams, and the ability to scale each component independently. Microservices
133 generally communicate with each other using APIs, which requires several core features to support
134 complex interactions between a substantial number of components. These core features include
135 authentication and access management, service discovery, secure communication protocols,
136 security monitoring, availability/resiliency improvement techniques (e.g., circuit breakers), load
137 balancing and throttling, integrity assurance techniques during induction of new services, and
138 handling of session persistence. Additionally, the core features could be bundled or packaged into
139 architectural frameworks such as API gateways and service mesh. The purpose of this document
140 is to analyze the multiple implementation options available for each individual core feature and
141 configuration options in architectural frameworks, develop security strategies that counter threats
142 specific to microservices, and enhance the overall security profile of the microservices-based
143 application.
144
145 Keywords
146
147 microservices; load balancing; circuit breaker; Application Programming Interface (API); API
148 gateway; service mesh; proxy.
149
150
151
152
153 Acknowledgements
154
155 <TBD>
ii
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
164 ITL may require from the patent holder, or a party authorized to make assurances on its behalf, in
165 written or electronic form, either:
166 a) assurance in the form of a general disclaimer to the effect that such party does not hold
167 and does not currently intend holding any essential patent claim(s); or
168 b) assurance that a license to such essential patent claim(s) will be made available to
169 applicants desiring to utilize the license for the purpose of complying with the guidance
170 or requirements in this ITL draft publication either:
171 i. under reasonable terms and conditions that are demonstrably free of any unfair
172 discrimination; or
173 ii. without compensation and under reasonable terms and conditions that are
174 demonstrably free of any unfair discrimination.
175 Such assurance shall indicate that the patent holder (or third party authorized to make assurances
176 on its behalf) will include in any documents transferring ownership of patents subject to the
177 assurance, provisions sufficient to ensure that the commitments in the assurance are binding on
178 the transferee, and that the transferee will similarly include appropriate provisions in the event of
179 future transfers with the goal of binding each successor-in-interest.
180 The assurance shall also indicate that it is intended to be binding on successors-in-interest
181 regardless of whether such provisions are included in the relevant transfer documents.
iii
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
iv
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
223 Appendix A: Differences between Monolithic Application and Microservices-based Application ................. 24
224 A.1 Design and Deployment Differences ........................................................................................................... 24
225 A.1.1 An Example Application to illustrate the design and deployment differences................................ 25
226 A.2 Run-time Differences ..................................................................................................................................... 26
227 Appendix B: Traceability of Security Strategies to Microservices Architectural Features .............................. 28
228 Appendix C: References ............................................................................................................................................. 32
229
230
231
v
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
vi
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
300
301
302
303 • NIST SP 800-190, Application Container Security Guide
304 • NIST IR 8176, Security Assurance Requirements for Linux Application Container
305 Deployments
306
2
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
3
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
388 • All microservices should be designed for constant failure and recovery and must therefore be as
389 stateless as possible
390 • One should reuse existing trusted services (e.g., databases, caches, directories) for state
391 management
392 These drivers, in turn, result in the following design principles for a microservice:
393
394 • Autonomy
395 • Loose coupling
396 • Re-use
397 • Composability
398 • Fault tolerance
399 • Discoverability
400 • APIs alignment with business processes
4
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
428 • Infrastructure services (called “core features” in this document) implemented alone or
429 bundled into architectural frameworks (e.g., API gateway, service mesh), including
430 authentication and authorization, service registration and discovery, and security monitoring
431 In a microservices-based application system, each of the multiple, collaborative services can be
432 built using different technologies. This promotes the concept of technical heterogeneity, which
433 means that each service in a microservices-based application system may be written in a different
434 programming language, development platform, or using different data storage technologies. This
435 concept enables developers to choose the right tool or language depending on the type of service.
436 Thus, in a single microservices-based application system, the constituting services may be built
437 using different languages (e.g., Ruby, Golang, Java) and may be hosting different stores (e.g.,
438 document datastore, graphical DB, or multimedia DB). Each component service is developed by a
439 team–a microservice or DevOps team—which provides all of the development and operational
440 requirements for that service with a high degree of autonomy regarding development and
441 deployment techniques so long as the service functionality or service contract is agreed upon [6].
442
443 Services in microservices are separately deployed on different nodes. The communication between
444 them is transformed from a local function call to a remote call, which would affect system
445 performance due to a high latency of network communication. Thus, a lightweight communication
446 infrastructure is required.
447
448 Scaling can be applied selectively on those services that have performance bottlenecks due to
449 insufficient CPU or memory resources, while other services can continue to be run using smaller,
450 less expensive hardware. The functionality associated with such a service may be consumed in
451 different ways for different purposes, thereby promoting reusability and composability. One
452 example includes a customer database service, the contents of which are used both by shipping
453 departments for preparing bills of lading and by accounts receivable or the billing department to
454 send invoices.
455
5
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
513 approach or domain event subscription approach. In this pattern, a microservices registers itself or
514 subscribes to business domain events (e.g., interested in specific information or being able to
515 handle certain requests), which are published to a message broker through an event-bus interface.
516 These microservices are built using event-driven APIs and use asynchronous messaging protocols,
517 such as Message Queuing Telemetry Transport (MQTT), Advanced Message Queuing Protocol
518 (AMQP), and Kafka Messaging, which enable support for notifications and subscriptions. In
519 asynchronous protocols, the message sender does not typically wait for a response but simply sends
520 the message to a message agent (e.g., RabbitMQ queue). One of the use cases for this approach is
521 the propagation of data updates to multiple microservices based on certain events [8].
522
523
7
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
558 a) Request and response collapsing: Most business transactions will involve calls to multiple
559 microservices, often in a pre-determined sequence. An API gateway can simplify the
560 situation for clients by exposing an endpoint that will automatically make all the needed
561 multiple requests (calls) and return a single, aggregated response to the client.
562 b) API Transformation: The API gateway can provide a public interface to the client which is
563 different from the individual APIs it has to consume or the program calls it has to make to
564 cater to a given request. This feature is called API transformation and enables:
565 i) Changing the implementation and even the API interface for individual microservices
566 ii) Transitioning from an initial, monolithic application to a microservices-based
567 application by enabling continued access to clients through the API gateway while
568 progressively splitting the monolithic application, creating microservice APIs in the
569 background, and changing the API transformation configuration accordingly
570 c) Protocol Translation: Calls from clients to microservices endpoints may be in web
571 protocols, such as HTTPS, while microservices communicate among themselves using
572 synchronous protocols, such as RPC/Thrift, or asynchronous protocols, such as AMQP. The
573 necessary protocol translation in client requests is typically carried out by the API gateway.
574 • Circuit breaker – This is a feature to set a threshold for the failed responses to an instance of a
575 microservice and cut off proxying requests to that instance when the failure is above the
576 threshold. This avoids the possibility of a cascaded failure, allows time to analyze logs,
577 implement the necessary fix, and push an update for the failing instance.
578 • Load balancing: There is a need to have multiple instances of the same service, and the load on
579 these instances must be evenly distributed to avoid delayed responses or service crashes due to
580 overload.
581 • Rate limiting (throttling) – The rate of requests coming into a service must be limited to ensured
582 continued availability of service for all clients.
583 • Blue/green deployments – When a new version of a microservice is deployed, requests from
584 customers using the old version can be redirected to the new version since the API gateway can
585 be programmed to be aware of the locations of both versions.
586 • Canary releases – Only a limited amount of traffic is initially sent to a new version of a
587 microservice since the correctness of its response or performance metric under all operating
588 scenarios is not fully known. Once sufficient data is gathered about its operating characteristics,
589 then all of the requests can be proxied to the new version of the microservice.
590
601
602 Table 2: Role of Architectural Frameworks in Microservices Operations
603
Architectural Framework Role in the Overall Architecture
API gateway, augmented with or without Used for controlling north-south and east-west
micro gateways traffic (the latter using micro gateways);
micro gateways are deployed when
microservices are implemented in
web/application servers
Service mesh Deployed for purely east-west traffic when
microservices are implemented using
containers but can also be used in situations
where microservices are housed in VMs or
application servers
604
9
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
635 • By composing the specific services developed for respective functionality (e.g., service
636 registry for service discovery)
637 • Implementing these functionalities directly inside the codebase that utilizes the API
638 gateway
639 Gateway implementations
640 To prevent the gateway from having too much logic to handle request shaping for different client
641 types, it is divided into multiple gateways [8]. This results in a pattern called backends for
642 frontends (BFF). In BFF, each client type is given its own gateway (e.g., web app BFF, mobile app
643 BFF) as a collection point for service requests. The respective backend is closely aligned with the
644 corresponding front end (client) and is typically developed by the same team.
645
646 API management for a microservices-based application can be implemented through either a
647 monolithic API gateway architecture or a distributed API gateway architecture. In the monolithic
648 API gateway architecture, there is only one API gateway that is typically deployed at the edge of
649 the enterprise network (e.g., DMZ) and provides all services to the API at the enterprise level. In
650 the distributed API gateway architecture, there are multiple instances of microgateways, which are
651 deployed closer to microservice APIs [10]. A microgateway is typically a low footprint, scriptable
652 API gateway that can be used to define and enforce customized policies and is therefore suitable for
653 microservices-based applications, which must be protected through service-specific security
654 policies.
655
656 The microgateway is typically implemented as a stand-alone container using development
657 platforms such as Node.js. It is different from a sidecar proxy of the service mesh architecture
658 (refer to Section 2.7.2), which is implemented at the API endpoint itself. The security policies in a
659 microgateway are encoded using JSON format and input through a graphical policy management
660 interface. The microgateway should contain policies for both application requests and responses.
661 Since policies and their enforcement are implemented as a container, they are immutable and thus
662 provide a degree of protection against accidental and unintended modifications that may result in
663 security breaches or conflicts, since any security policy update requires redeployment of the
664 microgateway. It is essential that the microgateway deployed for any microservice instance
665 communicate with service registry and monitoring modules to keep track of the operational status
666 of the microservice it is designed to protect.
680 aggregation for telemetry, and provides APIs for modifying the behavior of the network through
681 various features, such as load balancing, circuit breaking, or rate limiting.
682
683 Service meshes create a small proxy server instance for each service within a microservices
684 application. This specialized proxy car is sometimes called a “sidecar proxy” in service mesh
685 parlance [12]. The sidecar proxy forms the data plane, while the runtime operations needed for
686 enforcing security (access control, communication-related) are enabled by injecting policies (e.g.,
687 access control policies) into the sidecar proxy from the control plane. This also provides the
688 flexibility to dynamically change policies without modifying the microservices code.
689
696
11
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
12
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
14
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
888 issues in some nodes. Since multiple microservices nodes collaborate to perform a transaction,
889 performance problems associated with any node can quickly cascade across multiple services. The
890 strategies for secure identity and access management to microservices are outlined below.
891
892 Security strategies for authentication (MS-SS-1):
893 • Authentication to microservices APIs that have access to sensitive data should not be done
894 simply by using API keys. Rather, an additional form of authentication should also be used.
895 • Every API Key that is used in the application should have restrictions specified both for the
896 applications (e.g., mobile app, IP address) and the set of APIs where they can be used.
897
898 Security strategies for access management (MS-SS-2):
899 • Access policies to all APIs and their resources should be defined and provisioned centrally to
900 an access server
901 • The access server should be capable of supporting fine-grained policies
902 • Access decisions from the access server should be conveyed to individual and sets of
903 microservices through standardized tokens encoded in a platform-neutral format (e.g., OAuth
904 2.0 token encoded in JSON format)
905 • The scope in authorization tokens (extent of permissions and duration) should be carefully
906 controlled; for example, in a request for transaction, the allowed scope should only involve the
907 API endpoints that must be accessed for completing that transaction
908 • It is preferable to generate tokens for performing authentication instead of passing credentials to
909 the API endpoints since any damage would be limited to the time that the token is valid;
910 authentication tokens should be cryptographically signed or hashed tokens
911
933
934
935 Analysis of the client-side service discovery pattern
936 The client-side option consists of building registry-aware clients. The client queries the service
937 registry for the location of all services needed to make requests. It then contacts the target service
938 directly. Though simple, this implementation option for service discovery requires the discovery
939 logic (querying the service registry) to be implemented for each programming language and/or
940 framework that is used for client implementations.
941
942 Analysis of the service-side service discovery pattern
943 The service-side discovery has two implementations: one pattern delegates the discovery logic to a
944 dedicated router service set at a fixed location, while the other utilizes a server in front of each
945 microservice with the functionality of a dynamic DNS-resolver. In the dedicated router option, the
946 client makes all service requests to this dedicated router service, which in turn queries the service
947 registry for the location of the client-requested service and forwards that request to the discovered
948 location. This removes the tight coupling between an application service and an infrastructure
949 service such as the service registry service. In the DNS resolver pattern, each microservice
950 completes its own service discovery using its built-in DNS resolver to query the service registry.
951 The DNS resolver maintains a table of available service instances and their endpoint locations (i.e.,
952 IP addresses). To keep the table up to date, the asynchronous, nonblocking DNS resolver queries
953 the service registry regularly—perhaps every few seconds—using DNS SRV records for service
954 discovery. Since the service discovery function through the DNS resolver runs as a background
955 task, the endpoints (URLs) for all peer microservices are instantly available when a service instance
956 needs to make a request [2].
957
958 A good strategy would be to use a combination of the service-side service discovery pattern and
959 the client-side service discovery pattern [16]. The former can be used for providing access to all
960 public APIs, while the latter can allow clients to access all cluster-internal interactions.
961
962 Centralized versus distributed service registry
963 In a centralized service registry implementation, all services wishing to publish their service
964 register at a single point, and all services seeking these services use the single registry to discover
965 them. The security disadvantage of this pattern is the single point of failure [17]. However, data
966 consistency will not be an issue. In the decentralized service registry, there may be multiple
967 service registry instances, and services can register with any of the instances. In the short term,
968 the disadvantage is that there will be data inconsistency between the various service registries.
969 Eventually, consistency among these various instances of service registry is achieved either
970 through broadcasting from one instance to all others or by propagation from one node to all
971 others via attached data in a process called piggybacking.
972
973 Regardless of the pattern used for service discovery, secure deployment of service discovery
974 functions should meet the following service registry configuration requirements.
975
976 Security strategies for service registry configuration (MS-SS-3)
977 • Service registry capabilities should be provided through a cluster of servers with a
978 configuration that can perform frequent replication.
17
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
979 • Service registry clusters should be in a dedicated network where no other application
980 service is run.
981 • Communication between an application service and a service registry should occur through
982 a secure communication protocol such as HTTPS or TLS.
983 • Service registry should have validation checks to ensure that only legitimate services are
984 performing the registration, refresh operations, and database queries to discover services.
985 • The bounded context and loose coupling principle for microservices should be observed for
986 the service registration/deregistration functions. In other words, the application service
987 should not have tight coupling with an infrastructure service, such as a service registry
988 service, and service self-registration/deregistration patterns should be avoided. When an
989 application service crashes or is running but unable to handle requests, its inability to
990 perform deregistration affects the integrity of the whole process. Therefore,
991 registration/deregistration of an application service should be enabled using a third-party
992 registration pattern, and the application service should be restricted to querying the service
993 registry for service location information as described under the client-side discovery pattern.
994 • If a third-party registration pattern is implemented, registration/deregistration should only
995 take place after a health check on the application service is performed.
996 • Distributed service registry should be deployed for large microservices application, and care
997 should be taken to maintain data consistency among multiple service registry instances.
998
999 4.3 Strategies for Secure Communication Protocols
1000
1001 Secure communication between clients and services (north-south traffic) and between services
1002 (east-west traffic) is critical for the operation of a microservices-based application. It is a good
1003 practice to build security features into infrastructure rather than application code, and several
1004 technologies have evolved with that objective.
1005
1006 However, certain strategies for security services—such as authentication or the establishment of
1007 secure connections—can be handled at the individual microservices nodes. For example, in the
1008 fabric model, each microservice instance has the capability to function as an SSL client and SSL
1009 server (i.e., each microservice is an SSL/TLS endpoint). Thus, a secure SSL/TLS connection is
1010 possible for interservice or inter-process communication from an overall application perspective.
1011 These connections can be created dynamically (i.e., before each interservice request) or be created
1012 as a keep-alive connection. In the keep-alive connection scheme, a “service A” creates a connection
1013 after a full SSL/TLS handshake—the first time an instance of that service makes a request to an
1014 instance of a “service B.” However, neither service instances terminate the connection after a
1015 response returns for that request from service B. Rather, the same connection is reused in future
1016 requests. The advantage of this scheme is that the costly overhead involved in performing the initial
1017 SSL/TLS handshake can be avoided during each request, and an existing connection can be reused
1018 for thousands of following interservice requests. Thus, a permanent secure interservice network
1019 connection is available for all instances of requests.
1020
1021 Security strategies for secure communication (MS-SS-4)
1022 • Clients should not be configured to call its target services directly but rather to point to the
1023 single gateway URL
18
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
1024 • Client-to-API-gateway communication should take place after mutual authentication and be
1025 encrypted (e.g., using mTLS protocol)
1026 • Frequently interacting services should create keep-alive TLS connections
1027
1068 status that is determined based on the frequency of calls from that client to the service rather than
1069 on the combined response status received by all clients against that service.
1070
1071 Server-side circuit breaker option: In this option, an internal circuit breaker in the microservice
1072 processes all client invocations and decides whether it should be allowed to invoke the service or
1073 not. The security advantages of this option are that clients need not be trusted to implement the
1074 circuit breaker function, and since the service has a global picture of the frequency of all
1075 invocations from all clients, it can throttle requests to a level which it can conveniently handle (e.g.,
1076 temporarily lighten the load).
1077
1078 Proxy circuit breaker option: In this option, circuit breakers are deployed in a proxy service, located
1079 between clients and microservices, which handles all incoming and outgoing messages. Within this,
1080 there may be two options: one proxy for each target microservice or a single proxy for multiple
1081 services (usually implemented in API gateway) that includes both client-side circuit breakers and
1082 service-side circuit breakers existing within that proxy. The security advantage of this option is that
1083 neither the client code nor the services code needs to be modified, which avoids trust and integrity
1084 assurance issues associated with both these categories of code as well as the circuit breaker
1085 function. This option also provides additional protections such as making clients more resilient to
1086 faulty services, and shielding services from cases in which a single client sends too many requests
1087 [9], resulting in some type of denial of service to other clients that use that service.
1088
1089 Security strategies for implementing circuit breakers (MS-SS-6)
1090 • A proxy circuit breaker option should be deployed to limit the trusted component to the proxy.
1091 This avoids the need to place the trust on the clients and microservices (e.g., setting thresholds
1092 and cutting off requests based on the set threshold) since they are multiple components.
1093
1159 handling individual requests forwards a request from an in-progress user session to a different
1160 microservice server or instance. One of the methods for implementing session persistence is sticky
1161 cookie. In this method, there is a mechanism to add a session cookie to the first response from the
1162 upstream microservice group to a given client, identifying (in an encoded fashion) the server that
1163 generated the response. Subsequent requests from the client include the cookie value, and the same
1164 mechanism uses it to route the request to the same upstream server [18].
1165
1166 Security (integrity assurance) strategies for handling session persistence (MS-SS-10):
1167 • The session information for a client must be stored securely
1168 • The artifact used for conveying the binding server information must be protected
1169
22
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
23
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
24
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
1257 A.1.1 An Example Application to illustrate the design and deployment differences
1258
1259 The following example of a small, online retail application illustrates the design and deployment
1260 differences discussed above. The main functions of this application are:
1261
1262 • A module that displays the catalog of products offered by the retailer with pictures of the
1263 products, product numbers, product names, and the unit prices
1264 • A module for processing customer orders by gathering information about the customer (e.g.,
1265 name, address) and the details of the order (e.g., name of the product from the catalog,
1266 quantity, unit price) as well as creating a bin containing all the items ordered in that session
1267 • A module for preparing the order for shipping, specifying the total bill of lading (i.e., the
1268 total package to be shipped, quantity of each item in the order, shipping preferences,
1269 shipping address)
1270 • A module for invoicing the customer with a built-in feature for making payments by credit
1271 card or bank account
1272
1273 The differences in the design of this online retail application as a monolithic versus microservices-
1274 based are given in table below.
1275
1276 Table A.2: Differences in Application Construct between Monolithic and Microservices-based Application
1277
Application Construct Monolith Microservices-based
Communication between All communications are in The shipping functionality
functional modules the form of procedure calls orand the order processing
some internal data structures functionality are each
(e.g., socket). The module designed as independent
handling the order processing services. Communication
makes a procedural call to thetakes place as an API call
module handling the shipping across the network using a
function and waits for web protocol. The order
successful completion processing microservice can
(blocking type synchronous either (a) make a request-
communication). response call to the shipping
microservice and wait for a
response or (b) put the details
of the order to be shipped in a
message queue to be picked
up asynchronously by the
shipping microservice, which
has subscribed to the event.
Handling changes or The entire application must The invoicing function is
enhancements (e.g., invoicing be recompiled and redeployed designed as a separate
module needs to be changed after making the necessary microservice, so that service
to accept debit cards) changes. can simply recompiled and
redeployed.
Scaling the application, The order processing It is enough to allocate
allocation of increased functionality involves longer increased resources for
25
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
resources (e.g., order transaction times compared to hardware where the order
processing module needs to shipping or invoicing processing microservice is
be allocated more resourcesfunctions. Vertical scaling deployed. Also, the number
to handle a larger load) that involves using servers of instances of order-
with more memory or CPUs processing microservices can
must be deployed for the be increased for better load
entire application. balancing.
Development and deployment Development is handled by The complete lifecycle—
strategy the development team which, from development to
after necessary testing by the deployment—is handled by a
QA team, transfers the task of single DevOps team for each
deployment to an microservice since it is a
infrastructure team that relatively small module with
oversees the allocation of a single functionality and
suitable resources for built-in a platform (e.g., OS,
deployment. languages libraries) that is
optimal for that functionality.
1278
26
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
1298
1299
1300 Figure A.1: Online Shopping Application – Monolithic Architecture
1301
1302
1303
1304
1305
1306
1307
1308 Figure A.2: Online Shopping Application – Microservices Architecture
27
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
MS-SS-2 • Access policies to all APIs and their resources should be defined Access
and provisioned centrally to an access cover management
• The access server should be capable of supporting fine-grained
policies
• Access decisions from the access server should be conveyed to
individual and sets of microservices through standardized tokens
encoded in a platform-neutral format (e.g., OAuth 2.0 token
encoded in JSON format)
• The scope in authorization tokens (i.e., extent of permissions and
duration) should be carefully controlled; for example, in a request
for a transaction, the allowed scope should only involve the API
endpoints that must be accessed to complete that transaction
• It is preferable to generate tokens for performing authentication
instead of passing credentials to the API endpoints since potential
damage will be limited to the time that the token is valid instead of
the long-term damage due to compromised credentials;
authentication tokens should be cryptographically signed or hashed
28
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
Microservices
Security
Core Feature/
Strategy Security Strategy
Architectural
Identifier
framework
MS-SS-3 • Service registry capability should be provided through a cluster of Service registry
servers with a configuration that can perform frequent replication configuration
• Service registry clusters should be in a dedicated network where no
other application services are run
• Communication between an application service and a service
registry should be through a secure communication protocol, such
as HTTPS/TLS
• Service registry should have validation checks to ensure that only
legitimate services are performing the registration and refresh
operations or querying its database to discover services
• The bounded context and loose coupling principle for microservices
should be observed for the service registration/deregistration
function; the application service should not have tight coupling with
an infrastructure service, such as service registry service, and the
service self-registration/deregistration pattern should be avoided.
Moreover, when an application service crashes or is running but not
in a position to handle requests, it cannot perform deregistration,
thus affecting the integrity of the whole process. Registration or
deregistration of an application service should be enabled using a
third-party registration pattern, and the application service should
be restricted to simply querying the service registry for service
location information as described in the client-side discovery
pattern.
• If third-party registration pattern is implemented,
registration/deregistration should only take place after performing a
health check on the application service
• Distributed service registry should be deployed for large
microservices applications, and care should be taken to maintain
data consistency among multiple service registry instances
MS-SS-4 • Clients should not be configured to call their target services directly Secure
but rather be configured to point to the single gateway URL communication
• Client to API gateway communication should take place after
mutual authentication and be encrypted (e.g., using mTLS protocol)
• Frequently interacting services should create keep-alive TLS
connections
29
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
Microservices
Security
Core Feature/
Strategy Security Strategy
Architectural
Identifier
framework
MS-SS-5 • Analytics engine that analyzes dependencies among the services Security
and identifies nodes (services) and paths (network) that are the monitoring
bottlenecks
• A central dashboard that displays the status of various services and
the network segments linking them
MS-SS-6 • Proxy circuit breaker option should be deployed to limit the trusted Implementing
component to be the proxy, which avoids the need to place the trust circuit breaker
on the clients and microservices (setting thresholds and cutting off
requests based on the set threshold) since they are multiple
components
MS-SS-7 • The load balancing function should be decoupled from individual Implementing
service requests; for example, the program that performs health load balancing
checks on the services to determine the load balancing pool should
run asynchronously in the background
• When a DNS resolver is deployed in front of a source microservice
to provide a table of available target microservice instances, it
should work in tandem with the health check program to present a
single list to the calling microservice
MS-SS-8 • Quotas or limits for application usage should be based on both Rate limiting
infrastructure and application-related requirements (throttling)
• Limits should be determined based on well-defined API usage plans
MS-SS-9 • Traffic to both the existing version and the new version of the Induction of new
service should be routed through a central node, such as an API versions of
gateway, to monitor the total number of calls to the service microservice
• Security monitoring should cover nodes hosting both the existing
and newer versions
MS-SS-10 • Session information for a client must be stored securely Handling session
• The artifact used for conveying the binding server information must persistence
be protected
MS-SS-11 • A run-time prevention strategy for credential abuse is preferable to Preventing
an offline strategy; a threshold for a designated time interval from a credential abuse
given location (e.g., IP address) for the number of login attempts and stuffing
should be set up, and prevention measures must be triggered if the attacks
threshold is exceeded
• A credential-stuffing detection solution with the capability to check
user logins against the stolen credential database and warn the
legitimate users that their credentials have been stolen
30
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
Microservices
Security
Core Feature/
Strategy Security Strategy
Architectural
Identifier
framework
MS-SS-12 • Channel all traffic information to a monitoring and/or analytics API gateway
application for detecting attacks (e.g., denial of service, malicious configuration
threats) through unusual usage patterns or deteriorating response
times
• Integrate API gateway with an identity management application to
provision credentials before activating the API
• API gateway platform requirements: since some microservices have
multiple communication styles (i.e., synchronous and
asynchronous), it is imperative that the API gateway which serves
as the entry point for these services support multiple
communication styles; a high-performance webserver and reverse
proxy should support its basic functional capabilities
• When identity management is invoked through an API gateway,
connectors should be provided for integrating with IdPs
• API gateway should have a connector to an artifact that can
generate an access token for the client request (e.g., OAuth 2.0
Authorization Server)
MS-SS-13 • Policy support should be enabled for: (a) designating a specific Service mesh
communication protocol between pairs of services and (b) configuration
specifying the traffic load between pairs of services based on
application requirements
• Default configuration should always be to enable access control
policies for all services
• Avoid configurations that may lead to privilege escalation (e.g., the
service role permissions and binding of the service role to service
user accounts)
1312
31
NIST SP 800-204 (DRAFT) SECURITY STRATEGIES FOR MICROSERVICES-
BASED APPLICATION SYSTEMS
1360
1361 [14] OpenID. (n.d.). Welcome to OpenID Connect. Retrieved from https://openid.net/connect/.
1362 Accessed March 2019.
1363
1364 [15] Internet Engineering Task Force (IETF). (2012). The OAuth 2.0 authorization framework.
1365 Retrieved from https://tools.ietf.org/html/rfc6749. Accessed March 2019.
1366
1367 [16] Circuit Breakers, Discovery, and API Gateways in Microservices
1368
1369 [17] T. Yarygina and A.H. Bagge, “Overcoming Security Challenges in Microservice
1370 Architecture”, Proceedings of 2018 IEEE Symposium on Service-Oriented System
1371 Engineering, 2018.
1372
1373 [18] NGINX. (n.d.). High-performance load balancing: Scale out your applications with
1374 NGINX and NGINX Plus. Retrieved from https://www.nginx.com/products/nginx/load-
1375 balancing/#session-persistence.
1376
1377 [19] Katz, O. (2017). Improving credential abuse threat mitigation. Retrieved from
1378 https://blogs.akamai.com/2017/01/improving-credential-abuse-threat-mitigation.html.
1379 Accessed March 2019.
33