MTLS in a Microservices World
9 likes2,008 views
The document discusses the implementation of mutual TLS (mTLS) in a mobile payments company's microservices infrastructure to secure communications and establish a common security framework. It emphasizes the importance of automated certificate management, strict authentication and authorization practices, and the principle of least-privilege in the deployment of services. Additionally, it addresses challenges with certificate management and the integration of external Certificate Authorities (CAs) for enhanced security measures.
![[ { "permission":
{ "method": "GET", "resource": "/user" },
"allow": ["web", "fulfillment", "payments"] },
{ "permission":
{ "method": "POST", "resource": "/user" },
"allow": ["signup", "web"] },
{ "permission":
{ "method": "DELETE", "resource": "/user/.*" },
"allow": ["web"]
}]](https://image.slidesharecdn.com/automacon2016-161114184141/85/MTLS-in-a-Microservices-World-34-320.jpg)
MTLS in a Microservices World
- 1. MTLS in a Microservices 🌍 @diogomonica
- 2. - Mobile payments company - Moving $48 billion annually - Infra: Java & Ruby, some Go - Infrastructure Company - Moving 1+ billion containers annually - Infra: Go, some python
- 3. Microservice Security Goals - Provide common security infrastructure - Follow the principle of least-privilege - Better security monitoring - Automated end-to-end secure service deployment
- 4. The Security boundary is the service
- 6. Every service call should be authorized and authenticated
- 7. One node, one ID
- 10. Your provisioning system is your Registration Authority
- 12. Trust on first use
- 13. MTLS
- 15. Key-material stays secret Supported by everything MTLS A LOT of Certs! Confusing for Engineers Unforgiving Revocation? Running a PKI Confidentiality Authentication Integrity
- 16. Key-material stays secret Supported by everything MTLS A LOT of Certs! Confusing for Engineers Unforgiving Revocation? Running a PKI Encryption Authentication
- 17. SWARM
- 18. Mutual TLS by default • First node generates a new self-signed CA.
- 19. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token.
- 20. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token. • Workers and managers identified by their certificate.
- 21. Mutual TLS by default • First node generates a new self-signed CA. • New nodes can get a certificate issued w/ a token. • Workers and managers identified by their certificate. • Communications secured with Mutual TLS.
- 22. The Token SWMTKN-1-mx8susrv1etsmc8omaom825bet6-cm6zts22rl4hly2 Prefix to allow VCS searches for leaked Tokens Token Version Cryptographic Hash of the CA Root Certificate for bootstrap Randomly generated Secret
- 23. Bootstrap 1. Retrieve and validate Root CA Public key material. 2. Submit new CSR along with secret token. 3. Retrieve the signed certificate.
- 24. Automatic Certificate Rotation 1. Submit new CSR using old key-pair. 2. Retrieve the new signed certificate.
- 25. Support for External CAs • Managers support BYO CA. • Forwards CSRs to external CA.
- 26. Demo
- 27. One app, one ID
- 28. Your Orchestration System is your Registration Authority
- 31. CN=api01 CN=db01
- 34. [ { "permission": { "method": "GET", "resource": "/user" }, "allow": ["web", "fulfillment", "payments"] }, { "permission": { "method": "POST", "resource": "/user" }, "allow": ["signup", "web"] }, { "permission": { "method": "DELETE", "resource": "/user/.*" }, "allow": ["web"] }]
- 35. Sane access to raw secrets
- 36. Demo