Microservice security Flashcards

1
Q

Describe the monolithic architecture?

A

user interface
Business logic
Data access layer
->
<-
DB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are some downsides of using a monolithic architecture? (3)

A

Limited scalability

Single-point of failure

Must rebuild entire development to change a small constraint or check

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the microservice architecture (5)

A

Loosely coupled

Communicate via APIs

Maintainable and testable

Independently deployable

Organized around business logic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the structure of microservice architecture?

A

user interface -> microservice ->DB

Microservice [presentation-, business-, data-layer]

Interface connected to multiple microservices, each connected to individual DBs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name microservice security challenges (7)

A

Trust between services

Large attack area

Testing

Low visibility

Polyglot Architecture

Container management

Secret management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Name causes of microservice security challenges (4)

A

Architectural complexity

Poor testing

Immature tools and standards

Developer inexperience

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Name consequences in microservice security (3)

A

Susceptible to attack

Performance overhead

Increased faults

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the abstractions in microservice security? (3)

A

Service/Application

Communication

Visualization/Cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the objectives of microservice security? (5)

A

CIA

Resiliency

Visibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe what we mean by low visibility of microservice architectures

A

Usually deployed on cloud. Cloud infrastructure tend to be opaque and disparate (different from normal).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some challenges in regards to cloud usage? (3)

A

Securing internet-facing service endpoints

Having access management from enterprise to cloud.

Secure inter-service communication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Why is trust between services important?

A

Some microservices might be malicious and can compromise the services they communicate with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What can cause insecure communication between services?

A

Insufficient auth

Improper authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a polyglot architecture?

A

Using several languages

Service 1: Java
Service 2: Python

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a security challenge with polyglot architecture?

A

Need to have dedicated experts who specialize in a particular technology stack.

Difficult to have a sentralized security team taking care of every service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 5 parts of security countermeasures in micro services?

A

Best practises

Methods

Deployment tools

Development tools

Patterns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Name some best practices

A

Defense in depth

Encryption

least privileges

rate throttling (limit number of requests from a single user)

DevSecOps

Immutable container

Secure by design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name some methods

A

Standards (OAuth)

Protocols (Open ID connect, mTLS)

TOKENS (JWT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Name some dev tools

A

Container orchestration (docker, kubernetes)

Testing

Scanners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Name some deploy tools

A

Certificate management

Real-time monitoring

Benchmarking

config management

Identity management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Name some Patterns

A

API gateway

circuit breaker

Strangler

22
Q

What does rate throttling defend against?

23
Q

How can traffic be throttled?

A

Identify that congestion is approaching

Send feedback to sender of traffic, warning against sending more packages

24
Q

What is HSM

A

Hardware Security Module

25
What is HSM bootstrapping?
Defends against attacks targeting hw hosting the services
26
What is trusted execution environments?
Also called HSM bootstrapping Guarantees confidentiality and integrity of execution environments
27
Where is auth and authorization needed? (4)
API gateways microservices from API to micro Between micro
28
Name 3 types of API gateways
NAT gateway Peering gateway Internet gateway
29
What is a NAT gateway?
Network address translation Gateway allows traffic from internet to flow into private subnets
30
What is an internet gateway?
Required when subnets are communicating with the internet
31
What is a peering gateway?
Establishes and controls communication between two VPCs
32
What is a VPC?
Virtual private clouds
32
What is important in API gateway security?
Verifiable client identification at entry points (mandate every request to contain client-ID or access token) Authorization policies to control access Throttling request traffic (max number request per time, max number of simultaneous requests)
33
Why is service level authorization used?
Gives each microservice control to enforce access control policies
34
What is external Entity Identity Propagation?
The edge layer propagates an uthenticated external entity identity and a request to downstream micro services
35
Where do external Entity Identity Propagation happen?
Between API-gateways and microservices
36
How is external Entity Identity Propagation done?
A microservice has to understand the caller's context (userID, roles/groups) A data structure representing the external entity is generated, signed or encrypted by the trusted issuer and propagated to internal microservices.
37
What is mTLS?
Mutual transport layer security Each microservice has public- and private key. Uses these to auth to the recipient microservices via mTLS
38
How can service-to-service auth be done?
mTLS Token-based
39
Describe token-based auth
Caller service obtains a signed token by invoking a token service using its own service ID and password. Attack tokens to outgoing requests
40
Name 5 patterns
Circuit breaker CQRS Strangler Phantom token Sidecar proxy
41
What is a Circuit breaker
A service failure protection, handle it so the failure does not propagate through system. Real-time monitor and alert Tolerates failures to certain threshold After threshold, fallback methods are invoked
41
What is CQRS
Comman query responsibility segregation Separates read and update operations for a data store This optimizes its performance, scalability, security
41
Why does CQRS help with security?
Easier to ensure only the right domain writes on the data
42
What is strangler?
Used when migrating from monolithic to microservices Mitigates risks associated with large-scale modernization projects
43
What is a phantom token?
Preserves privacy using opaque and JWT tokens
44
What is the flow of phantom tokens? (4)
1. Client retrieves opaque token 2. Client forwards token in API-request 3. The reverse proxy looks up the JWT token by calling the Introspection endpoint of the Token service. This is for authorization reasons 4. Reverse proxy replaces opaque with JWT in the actual request to the microservice
45
How can you use sidecars for security?
Add cross-cutting security controls to application components that is not natively designed with that functionality
46
What is a sidecar proxy?
Sidecar is attached to a parent application. Provides supporting features Co-locates set of tasks with primary application, but places them inside their process or container
47
2 types of communication between services?
Service-level authorization Service-to-service authentication