Microservices Architecture All MIS603
6/3/2020 Laureate International Universities
https://laureate-au.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_89956_1&content_id=_8971658_1&mode=reset 1/7
MODULE 5 TOPIC 1 RESOURCES AND ACTIVITIESMODULE 5 TOPIC 1 RESOURCES AND ACTIVITIES
Security
Introduction:
Security is a highly specialised �eld, however understanding security within the
context of microservices architecture is vital for all working in this context owing to a
distributed architecture and reliance on communications integration. Data is a highly
valued ‘commodity’ - not only to the company that holds it, but also to customers who
are relying on companies to safeguard their information. Data breaches not only
expose companies to loss of the data that gives them a leading edge over competitors
but exposes them to further risks of �nancial loss of having to make restitution to
customers who have been compromised.
6/3/2020 Laureate International Universities
https://laureate-au.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_89956_1&content_id=_8971658_1&mode=reset 2/7
Mandatory disclosures are also legally required for companies that have experienced
a breach, and the resulting �nes can be substantial. In other cases, consumers can
enter class action lawsuits against companies to make civil claims of loss. It is
estimated that Uber’s 2016 data breach cost the company USD 150 million, however
the Equifax data breach stood at an agreed payout of USD 575 million in a settlement
with the Federal Trade Commission and Consumer Financial Protection Bureau
(Swinhoe, 2020). Above and beyond this, companies are subject to the loss of
reputation when exposed to data breaches. Where previously in a monolith and
‘waterfall project’, security could be brought in as a separate task to be undertaken by
specialists at a key point on the critical path of the project – in a DevOps world with a
microservices architecture – everyone is responsible for security. Developers who are
building each microservice and embedding it within a communications integration
context needs to have a clear understanding of how they can contribute to creating
and managing services where security is inherently built in at all layers of the
architecture. While governance in the design of the organisation’s overall
microservices architecture and communications integrations strategy, there are
elements that need to be considered on every step of the way in developing
microservices.
References
Swinhoe, D. (2020, January 31). The biggest data breach �nes, penalties and settlements so far.
CSO. Retrieved from https://www.csoonline.com/article/3410278/the-biggest-data-breach-�nes-
penalties-and-settlements-so-far.html?page=2
Resources and Activities:
Security and Microservices by Sam Newman
While this is an excellent video (and an opportunity to see an author, we
have referenced many times in this subject) it is long.
While you can bene�t from watching the whole video and may choose to do
so, please focus on speci�c sections if you are pressed for time:
8:07 – 12:06: Here, Newman identi�es a model for managing security in a microservices environment around 4 principles: Prevention, Detection, Response and Recovery
21:25 – 26:33: How using HTTPS between services o�ers an additional layer of security in a distributed environment
28:15 – 29:45: How Authentication & Authorization are vital concepts in the management of data security
6/3/2020 Laureate International Universities
https://laureate-au.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_89956_1&content_id=_8971658_1&mode=reset 3/7
32:33 – 33:57: Data At Rest and how best to management it to ensure security
Reference:
Devoxx. (2016, November, 10). Security and Microservices by Sam Newman
[Video �le]. Retrieved from https://youtu.be/ZXGaC3GR3zU
(https://youtu.be/ZXGaC3GR3zU)
Authentication and Authorization
Please read pp. 169 – 180.
Newman covers a range of di�erent authentication and authorization
protocols that can/should be considered and used depending on the
di�erent challenges that present in securing a system. In this short reading
you are introduced to each of these protocols with notes about where they
are most suited and bene�ts and drawbacks within in each. It is important
to note the di�erence between the concepts of ‘authentication’ – ensuring
that a user is adequately con�rmed to be who they say they are, and
‘authorization’ where a user has access to data and activities based on their
role and what this requires them to have access to. Note that there are two
themes in this section – user authentication and authorisation (people) and
service-to-service authentication and authorization where other services
make requests or communication calls to another service. The challenges
are di�erent in these areas and you will need to be able to di�erentiate
between them. (Note that this reading aligns to the video clip ‘Security and
Microservices by Sam Newman’, and that watching the clip before the
reading may make it easier to navigate some of the key concepts).
Reference:
Newman, S. (2015). Building microservices: Designing �ne-grained systems.
California, USA: O’Reilly Media. Retrieved from https://ebookcentral-
proquest-com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=1938300&ppg=189 (https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=1938300&ppg=189)
Securing Data at Rest
Please read pp. 180 – 182.
6/3/2020 Laureate International Universities
https://laureate-au.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_89956_1&content_id=_8971658_1&mode=reset 4/7
Newman focusses on the importance of encrypting as much data at rest as
is feasible, and only decrypting data when it is required for use. Note the
practical tips about the appropriate storage of encryption keys as well as
aligning to the proprietary encryption capability where it is available within
the technology rather than experiencing alignment challenges. (Note that
this reading aligns to the video clip ‘Security and Microservices by Sam
Newman’, and that watching the clip before the reading may make it easier
to navigate some of the key concepts).
Reference:
Newman, S. (2015). Building microservices: Designing �ne-grained systems.
California, USA: O’Reilly Media. Retrieved from https://ebookcentral-
proquest-com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=1938300&ppg=200 (https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=1938300&ppg=200)
Defence in Depth
Please read pp. 169- 188. There are several standards, tried and trusted
defensive measures that are used in defending company systems. It is well
worth understanding these and the bene�ts each bring so that you can
ensure that they are included to ensure that you are able to take a
comprehensive view of the security landscape supporting microservices
architecture. (Note that this reading aligns to the video clip ‘Security and
Microservices by Sam Newman’, and that watching the clip before the
reading may make it easier to navigate some of the key concepts).
Reference:
Newman, S. (2015). Building microservices: Designing �ne-grained systems.
California, USA: O’Reilly Media. Retrieved from https://ebookcentral-
proquest-com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=1938300&ppg=189 (https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=1938300&ppg=189)
Basic Security Requirements
6/3/2020 Laureate International Universities
https://laureate-au.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_89956_1&content_id=_8971658_1&mode=reset 5/7
Please read pp. 252 – 254. In this short reading Surianarayanan et al.
outlines the three security requirements of any application: con�dentiality,
integrity, and availability. Each of these requirements is de�ned with
examples, with implementation recommendations to mitigate each type of
security requirement. This reading will develop your understanding of
security concerns and mitigations in any systems environment, o�ering a
frame of reference to broaden your knowledge of how data security should
ideally be managed.
Reference:
Surianarayanan, C., Ganapathy, G., & Pethuru, R. (2019). Essentials of
microservices architecture: Paradigms, applications, and techniques.
Florida, USA: CRC Press. Retrieved from https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=5883406&ppg=273 (https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=5883406&ppg=273)
Pragmatic Architecture for Secure MSA
Please read pp. 255 – 256. Pay attention to Figure 9.2 – Pragmatic
architecture for a secure MSA application. Note how Surianarayanan et al.
specify how there are three layers and two separate zones: a trusted zone,
and a jungle zone. They specify which applications belong in each zone and
how this in�uences the decisions taken regarding security. Also note how
various application layers are allocated roles in meeting the di�erent types
of data security requirements
Reference:
Surianarayanan, C., Ganapathy, G., & Pethuru, R. (2019). Essentials of
microservices architecture: Paradigms, applications, and techniques.
Florida, USA: CRC Press. Retrieved from https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=5883406&ppg=275 (https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=5883406&ppg=275)
Security Mechanisms for MSA Applications
6/3/2020 Laureate International Universities
https://laureate-au.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_89956_1&content_id=_8971658_1&mode=reset 6/7
Please read pp. 256 – 260.This reading outlines the di�erent security
treatments and mechanisms as required in the di�erent layers of the
system and possible appropriate solutions to manage security e�ectively
with certain protocols and applications.
Reference:
Surianarayanan, C., Ganapathy, G., & Pethuru, R. (2019). Essentials of
microservices architecture: Paradigms, applications, and techniques.
Florida, USA: CRC Press. Retrieved from https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=5883406&ppg=277 (https://ebookcentral-proquest-
com.ezproxy.laureate.net.au/lib/think/reader.action?
docID=5883406&ppg=277)
Additional Learning Resources
If you would like to learn more about the topics covered in this module, here are
some additional resources. These resources will contribute to further develop
understanding of the topics covered. However, these resources are not essential
to complete this module or the assessments associated with this subject.
Controls of security and risk of breaches
This article will give you clear insights how poor controls of security and risk
of breaches can put organisations at risk of substantial �nancial loss, and
that breaches can come from many places but most often occur because of
a lack of considered approach.
Reference:
Swinhoe, D. (2020, January 31). The biggest data breach �nes, penalties and
settlements so far. CSO. Retrieved from
https://www.csoonline.com/article/3410278/the-biggest-data-breach-�nes-
penalties-and-settlements-so-far.html?page=2
(https://www.csoonline.com/article/3410278/the-biggest-data-breach-�nes-
penalties-and-settlements-so-far.html?page=2)
Learning Activity 1: Security Data at Rest - Discussion forum post
6/3/2020 Laureate International Universities
https://laureate-au.blackboard.com/webapps/blackboard/content/listContent.jsp?course_id=_89956_1&content_id=_8971658_1&mode=reset 7/7
Learning Activity 2: Authentication vs. Authorisation - Discussion
Forum Post
Collaborative learning activity – Building Blocks of Data Security
Note: The Learning activities above are not part of summative/graded assessment;
however they are designed to prepare you for incremental graded assessment and
expand your learning.
These activities encourage a community learning experience between peers, and
provide opportunities for facilitators to o�er formative feedback, throughout a
module, to the student cohort.