Getty Images/iStockphoto
5 best practices for microservices authorization
Authorization is a critical security component of a microservices architecture. Follow these five guiding principles to deploy and manage the microservices authorization process.
The distributed nature of a microservices architecture makes authorization an especially complex endeavor.
Organizations must not only determine which services a user can access, they need to consistently manage these granular permissions at scale and across services. To help address the unique security challenges microservices present, consider these five evergreen tips for developing an authorization plan for a microservices-based application.
1. Enforce zero-trust and the principle of least privilege
Security is at the heart of effective authorization, but authorization should not become an obstacle to progress within an organization. Well-planned authorization should enable all necessary business logic and encourage collaboration and innovation, yet at the same time, it should stop suspicious activity.
To prioritize security and promote business continuity, follow zero-trust and the principle of least privilege to reduce what an identity can do within a system. This includes continuous verification, narrowing the scope of privileges to only what's essential and limiting the length of access from indefinite to a specific period.
2. Use access tokens to define permissions
Access tokens are the building blocks of modern authorization. These tokens are strings of data that contain information verifying a user's permissions for accessing certain resources within a system. Depending on an organization's workload and security demands, a token's expiration period can range from a couple of hours to a few weeks. Once the token expires, the user no longer has access to the resources. Tokens need to be rotated regularly for added security.
Authorization services create and manage access tokens. The open-source community, AuthZEN, is seeking to set standards in the authorization space. Vendors like Permit.io, AuthZed, and Aserto are also working to make policy-based authorization easy and effective for microservices-based applications.
Authentication vs. authorization
Authentication and authorization work together to ensure the security of applications, especially microservice applications, which have several access points to manage. Authentication manages identities (human and machine) and answers the question, "Who is trying to access our systems?" Authorization deals with permissions to access various resources within the system. It answers the question, "What are they trying to access?"
3. Manage permissions at scale with policies
Strategy is an important facet of authorization policy creation. Policies are rules that apply to individual or groups of tokens and can encompass user roles and hierarchies. Role-based access control (RBAC) is the traditional model, but newer, more advanced models, such as attribute-based access control (ABAC), are becoming popular. ABAC offers flexibility and versatility when defining policies based on the attributes of an identity, a resource, an action, an environment or some combination of these factors. For example, an organization might grant developers from location A access to a resource but not those from location B. Policy could also be determined by attributes such as time, title, age or username.
When following the GitOps approach to platform engineering, an organization needs to integrate policies within Git repositories. Defining policies as code simplifies policy management and makes it easy to push policies into production or roll back policies that have become outdated or risky.
4. Consider where authorization happens
Whether at a data center, an edge location or somewhere in the cloud, authorization can occur across various places and multiple systems as identities attempt to access resources or perform certain tasks. Moving authorization as close as possible to the location of the event is essential and has two core benefits:
- Low latency. The request does not need to travel from one point of the network to another.
- High availability. The authorization service can function normally, even if there is an interruption in the network.
To enable this, integrate authorization across the entire cloud stack. This can include identity providers, like Okta and Microsoft Active Directory; Git repositories, for example, GitHub and GitLab; cloud vendor platforms, such as AWS and Microsoft Azure; and security and monitoring tooling, like Splunk and Datadog.
5. Centralize authorization management
Managing all authorization activities for your organization and applications from a single place simplifies operations and facilitates audits. It resolves issues of inconsistent access control, mitigates risks associated with unauthorized access, prevents data breaches and streamlines user management and permissions. It also enhances scalability and flexibility, allowing each microservice to operate securely without compromising system integrity. By centralizing and standardizing authorization, an organization can maintain robust security while enabling agile development of its microservices-based applications.
Twain Taylor is a technology journalist for Fixate I/O. He began his career at Google and has built branded social media applications and automation scripts to help startups better manage their marketing operations.
