OpsLevel Logo
Product

Visibility

Catalog

Keep an automated record of truth

Integrations

Unify your entire tech stack

AI Engine

Restoring knowledge & generating insight

Standards

Scorecards

Measure and improve software health

Campaigns

Action on cross-cutting initiatives with ease

Checks

Get actionable insights

Developer Autonomy

Service Templates

Spin up new services within guardrails

Self-service Actions

Empower devs to do more on their own

Knowledge Center

Tap into API & Tech Docs in one single place

Featured Resource

March Product Updates
March Product Updates
Read more
Use Cases

Use cases

Improve Standards

Set and rollout best practices for your software

Drive Ownership

Build accountability and clarity into your catalog

Developer Experience

Free up your team to focus on high-impact work

Featured Resource

The Ultimate Guide to Microservices Versioning Best Practices
The Ultimate Guide to Microservices Versioning Best Practices
Read more
Customers
Our customers

We support leading engineering teams to deliver high-quality software, faster.

More customers
Hudl
Hudl goes from Rookie to MVP with OpsLevel
Read more
Hudl
Keller Williams
Keller Williams’ software catalog becomes a vital source of truth
Read more
Keller Williams
Duolingo
How Duolingo automates service creation and maintenance to tackle more impactful infra work
Read more
Duolingo
Resources
Our resources

Explore our library of helpful resources and learn what your team can do with OpsLevel.

All resources

Resource types

Blog

Resources, tips, and the latest in engineering insights

Guide

Practical resources to roll out new programs and features

Demo

Videos of our product and features

Events

Live and on-demand conversations

Interactive Demo

See OpsLevel in action

Pricing

Flexible and designed for your unique needs

Docs
Log In
Book a demo
Log In
Book a demo
No items found.
Share this
Table of contents
 link
 
Resources
Blog

3 Best Practices for Improving Microservice Security

Insights
Standardization
Platform engineer
SRE
Security
Rubric
Checks
Scorecard
3 Best Practices for Improving Microservice Security
OpsLevel
|
November 22, 2021

Improving your microservice security isn’t like improving the security of a monolith application. Microservices provide lots of flexibility for application developers. They make scaling your application quicker and easier, and they let teams effortlessly deploy new features.

But when it comes to security, microservices bring a unique set of challenges.

The good news is, with a bit of planning and some diligence, you can overcome all of these challenges. In this post, we’ll talk about three key ways to improve your organization’s microservice security and how to best put them into practice.

Microservice Security Practice #1: Network Security

One of the most significant differences between microservice security and securing a monolith is how each type of application approaches the network. A monolith application will often have very few places where network traffic reaches out to the server. Oftentimes, it’s just one location, usually a proxy or load balancer.

The same is true for network egress on a microservice. Often, network connections will come from one location, synchronously wait for the monolith to complete the work the client requested, and receive the application’s response. This simplifies network security for the monolith.

The same can’t be said for microservices. Instead of doing many things and accepting connections from one source, microservices serve a small, specific job and accept connections from lots of other servers. This means that you can’t create a short list of acceptable inbound connection requests. But that doesn’t mean you have to accept every inbound request.

Rather, you should maintain a list of acceptable connection origins for each microservice you support. Often, instead of accepting connections from one point, you’ll be able to narrow down the acceptable list of connection origins to a VLAN. This VLAN will probably be where some other subset of your microservice architecture lives.

The critical part of this security step is considering where valid connections to your microservice will come from. If you do that, you’ll quickly be able to narrow down the acceptable origin list.

The tedious part here is that you need to do this for each of your microservices. That’s going to take some time! You’ll also need to spend time reevaluating this security list regularly. Bringing on new microservices will probably mean that your origin list will change over time.

Microservice Security Practice #2: Container Security

One of the keys to the microservice architecture is the container, a lightweight virtualization mechanic whereby a single physical service can virtually run dozens or hundreds of small application virtual machines. So, as you might guess, microservice security depends on getting container security right. Container security depends on three key attributes:

  • image security
  • securing the container itself
  • securing the host that runs the container

Image Security

When we build a microservice application, we create an image, which is a snapshot of that application running on a container. If you have a docker image, you can run it on any system that supports docker, and it’ll run exactly the same. This is one of the great benefits of containerization: your application runs the same no matter the environment. But this means that securing your images is critical.

You probably store your images in a repository like Docker Hub. It’s critical to make sure that when you build, the images you use are the ones you intend to use, and not an image placed there by an attacker. One easy way to compromise microservice security is by replacing good images with compromised ones. Ensure that only authorized users can access and update your images to keep them safe.

Container Security

Securing the container is a lot like securing a traditional monolith. You want to ensure that your container doesn’t expose any unnecessary ports and only accepts encrypted traffic. Your container should authenticate any external hosts that connect to it using pre-shared secrets. You need to validate the libraries that run on your container to ensure that they don’t have any exploited security vulnerabilities.

If you find vulnerable libraries, you know how to fix them: security patches! Once you’ve patched your libraries, you’ll build a new container image and push it to your repository. Once you’ve done that, you’ll deploy it to your application environment.

Host Security

If you’ve secured your images and containers, the final major step is securing the hosts. There are a variety of security measures you should implement on your hosts. For a brief overview, you should prevent your containers from starting with elevated system privileges. A container that possesses elevated privileges can break out of the sandbox it runs in and interfere with other containers.

A savvy attacker might combine a library vulnerability in one of your containers with elevated permissions to take over all containers running on your host. Another key host security measure is to ensure that the container can’t open network connections or write to file systems that aren’t strictly necessary.

Microservice Security Practice #3: Monitoring and Alerting

Microservice security doesn’t just mean preventing an attacker from compromising your systems. It means ensuring your systems are available when you need them, any time of day.

A microservice that crashes is no better than one an attacker takes offline: neither is ready to do what you need. Monitoring and alerting help keep your microservices online. One of the most significant benefits of microservices is that you can orchestrate containers to maintain high application availability. That doesn’t mean that you can’t turn off your monitoring systems, though.

Sure, one container in a microservice swarm going down isn’t likely a cause for concern. But what if ten containers crash all at once? What if each time a container tries to come back online, it crashes again? These are things you need to know, and you need to know them quickly.What’s more, monitoring and alerting are critical to more traditional security concerns, too.

Often, the first indication that you’ll get about a security breach comes from your application logs. The best monitoring and alerting services will tell you when your services are behaving strangely. And a solid alerting system means you’ll get a notification instead of waiting to find the issue in the logs yourself.

Microservice Security Is a Marathon, Not a Sprint

As any good security engineer will tell you, each day brings a new set of challenges.

You won’t be able to flip a couple of switches and change a config file, then stop thinking about microservice security forever. Sorry if you were hoping for a silver-bullet solution.

Instead, microservice security requires diligence, attention to detail, and persistence. The good news is, there are absolutely tools that can make your job easier. Integrating a tool like OpsLevel’s Service Maturity framework will help you automate many microservice security processes.

OpsLevel automates best practices for your microservices while monitoring the ones running and alerting you if anything goes wrong. And OpsLevel’s maturity scorecards will look at your system holistically to illustrate how your long-term commitment to security makes you safer over time.

Securing microservices is indeed a lot of work. Some teams might look at all that work and decide some half measures are good enough. If you don’t want to be a part of that team, remember that microservice security is a marathon, not a sprint. Try to get a little better each day, and before you know it, you’ll be in a better place than ever.

This post was written by Eric Boersma. Eric is a software developer and development manager who’s done everything from IT security in pharmaceuticals to writing intelligence software for the US government to building international development teams for non-profits. He loves to talk about the things he’s learned along the way, and he enjoys listening to and learning from others as well.

More resources

March Product Updates
Blog
March Product Updates

Some of the big releases from the month of March.

Read more
How Generative AI Is Changing Software Development: Key Insights from the DORA Report
Blog
How Generative AI Is Changing Software Development: Key Insights from the DORA Report

Discover the key findings from the 2024 DORA Report on Generative AI in Software Development. Learn how OpsLevel’s AI-powered tools enhance productivity, improve code quality, and simplify documentation, while helping developers avoid common pitfalls of AI adoption.

Read more
Introducing OpsLevel AI: Finding Your Lost Engineering Knowledge
Blog
Introducing OpsLevel AI: Finding Your Lost Engineering Knowledge

Read more
Product
Software catalogMaturityIntegrationsSelf-serviceKnowledge CenterBook a meeting
Company
About usCareersContact usCustomersPartnersSecurity
Resources
DocsEventsBlogPricingDemoGuide to Internal Developer PortalsGuide to Production Readiness
Comparisons
OpsLevel vs BackstageOpsLevel vs CortexOpsLevel vs Atlassian CompassOpsLevel vs Port
Subscribe
Join our newsletter to stay up to date on features and releases.
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
SOC 2AICPA SOC
© 2024 J/K Labs Inc. All rights reserved.
Terms of Use
Privacy Policy
Responsible Disclosure
By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Data Processing Agreement for more information.
Okay!