Security

Mutual TLS (mTLS) between microservices

/ Comments Off on Mutual TLS (mTLS) between microservices

The role of identity in digital security is crucial, and this extends to microservices. Some security patterns in microservice architecture overly trust the network once a request has passed a certain point, allowing services within a network segment to call each other without verifying the request or the caller’s identity. This undermines the principle of defense in depth and creates a vulnerability: if an attacker breaches the network, they gain unrestricted access to the microservices.

Instead of establishing large network segments as trust boundaries, the trust boundary should be the microservice itself. Each microservice should not trust external information or parties by default but should verify the identity of any caller and the integrity of the received information. This approach, known as zero trust, can be incorporated into microservices communication to enhance security.

Digital certificates are commonly used to assert the identity of a digital entity. These certificates contain identifying information, a public key, and details about the issuing certificate authority. In Transport Layer Security (TLS), digital certificates and Public Key Infrastructure (PKI) enable two parties to communicate securely via an encrypted channel. Typically, TLS involves one-way authentication where the client verifies the server’s identity using the server’s certificate, as seen with the lock icon in browsers indicating a secure connection to websites like online banking.

For microservices, mutual TLS (mTLS) takes this a step further. Both parties authenticate each other by exchanging digital certificates issued by a mutually trusted certificate authority before establishing a secure channel. mTLS is a common method for securing microservices, allowing them to identify and trust each other before communication. Each microservice is deployed with a certificate and key pair, securing communication between the API gateway and the microservice deployment, thus preventing unauthorized access by attackers.

One challenge with mTLS is the management and provisioning of certificates, especially for microservices hosted in ephemeral containers that can spin up and down unpredictably. Certificate provisioning and rotation need to be automated to handle the dynamic nature of microservices deployments. Container orchestrators and service meshes with built-in features for managing mTLS can address these challenges.

Configuring mTLS capabilities adds a significant layer of security to microservices, making it a worthwhile effort. Relying solely on network trust exposes microservices to substantial risks, highlighting the importance of adopting a zero trust approach and implementing mTLS.