Cloud Architecture Pattern: Azure Service Fabric and Microservices – Part 3 (Security Architecture)

Securing public cloud implementation is critical, it is called Public Cloud because it is accessible via the direct Internet access otherwise secured through network access control, identity access control or secrets (i.e. certificates). In this regards, customers should engage with CSP (cloud service provider) around cloud security and compliance. My personal experience with Microsoft Azure has been present so far; I always gain something more in-depth internal security and compliance knowledge every time I requested through proper channels.

For Microservices and Service Fabric starter pack, I am going to evaluate based on following classification,

• Perimeter and Network
• Application and Endpoint
  • Identity and Access Management (IAM)
  • Service Fabric Cluster Security
  • Antivirus and Antimalware
• GRC and Audit
• Security Orchestration

Perimeter and Network Security

Perimeter Security refers to natural barriers or built fortifications to either keep intruders out or to keep captives contained within the area the boundary surrounds – Wikipedia  . From a Cyber Security perspective, the perimeter security provides the first level of protection against malicious attacks.

The fictional End to End Architecture consist following Perimeter boundaries,

• Microsoft Azure internal security (Network Perimeter and CSP) – Video 
• Application Gateway Subnet (Network Perimeter)
• Network Subnet Segmentation for each Microservices Layer.
• NSG  (Access Control List – ACL rules for incoming and outgoing traffic i.e. ports, hosts, ip) for each Subnet and Service Fabric Node.

For advance implementation, you can also consider,

• NGFW (Next Generation Firewall)  – Many market leaders are offering SECaaS (Security As A Service) products on Microsoft Azure and some of them has deep integration with other security services i.e. Security Center, to provide end-to-end security solution.
• Perimeter and Network Vulnerabilities scanners (i.e. Tenable  , Qualys  , Rapid7  , Alert Logic  , Tripwire  )¹.
• IDS/IPS deep packet inspectors².
• Advance Web Application Firewall (WAF) (i.e. Sophos XG  , Barracuda NextGen Firewall  , Fortinet WAF  , CISCO Firepower Next Generation Firewall  , CheckPoint vSec  )³.

¹Implementing some of above mentioned products require specialised knowledge and skills in Cyber Security, but I thought worth referencing them.
²Perimeter and Network Vulnerabilities scanners would provide IDS/IPS capabilities as in-one solution.
³Application Gateway (WAF) provides basic Web Application Firewall support. Designed for purpose WAF appliance is recommended for advance security and compliance specific implementation.

That is an impressive list of security components, but I think security is subject to application. Therefore, we must consider the application once we identify perimeters. I would recommend applying rules based on threat assessment, vendor best practices and industry best practices in the precedence.

Simplified Decision Flow for Boundary Security

The following logic chart can help you to simplify your decision or a direction of your decision regarding various boundary security implementation patterns.

Application and Endpoint Security

Application and Endpoint Security is one of the most important areas to consider for every Microservices implementation. Traditionally, SPA (internet-facing) systems are secure at the web front-end and implement full or partial trusted system at the backend. With Microservices, it is not good practice, and you should delegate the access management to the throughout Microservices layer.

Identity and Access Management (IAM)

Microservices patterns would increase the number of the endpoints compare to traditional web applications. Thus the real challenge is to build or select a lightweight Authorisation/Authentication service (IAM Module). Implementing heavyweight IAM Module could make your application very slow for users.

I believe there is no straight answer to this question but I have always advocated Practical Security. No doubt this subject is for an extensive evaluation with real-world scenarios and individual application risk profile. I have listed some Microservices friendly options as a reference point,

• API Management (Application Perimeter) 
• OAuth 2.0 
• OpenID Connect 
• JSON Web Tokens (JWT) 
• SAML in Azure and Assertion Consumer Service (ACS) 
• AD FS in Azure 

Azure API Management can provide jumpstart solution for API Key management, OAuth, Azure AD Sign-in, JWT.

Service Fabric Cluster Security

Service Fabric Cluster hosts your Microservices, therefore it must be secured to prevent unauthorised access from the known or unknown actor (not service fabric actor) especially in production. There are various cluster security patterns are supported by Azure Service Fabric.

• Node to Node security 
• Client to Node security 
• Role-based access control (RBAC) 

You should evaluate your prospective threats and security viewpoints to identify requirements and mitigation techniques. However, in the most likely scenarios, you would need Node-to-Node security. I would also recommend reading X.509 certificates  in Service Fabric.

Antivirus and Antimalware

Antimalware and Antivirus protect Service Fabric host and operating system in real-time, it helps to identify and remove viruses, spyware, any malicious actor. Microsoft Azure offers an Antimalware extension for VM and Azure Cloud Services  .

For advance security requirements, you can consider TrendMicro Deep Security for Azure  , Sophos  , etc.

GRC and Audit

Governance, Risk Management and Compliance – GRC and Audit, if you have specific compliance requirements for your Microservices implementation than ideal practice would be them to descope from remaining. It is one of the main advantages of the Microservices architecture pattern.

Microservices should enable the organisation to take on a specific approach to governance that it has of different services. It would start with a consistent model for data classification and integrity of business processes. It would help defining threat model for individual services that handle the most classified and sensitive data and the where the controls are necessary to fulfil organisation’s security and compliance needs.

As Microservices proliferate, it would ensure that burden of compliance is concentrated and limited to a small number of services or domains. Descoping remaining services would yield innovation, cost effectiveness and human resource requirements.

Following the similar principle, Microsoft Azure and Service Fabric would allow you create multiple clusters with Network Segmentation (through Subnet and Perimeter Boundary). PCI-DSS (Network Segmentation for CHD Environment), SoX (recommends Perimeter security should be controlled with firewalls and monitored with intrusion detection systems), Personal Health Information (widely known as PHI).

For advance logging and auditing capabilities, Application Architecture Patterns such as CQRS  where model is an append-only stream would ensure you end-to-end trail. System specific telemetry and audit log, you can use Azure Log Integration  or Kibana  + Logstash  as a log-shipping solution. Application Insights  could provide Application and QoS telemetry insights.

Security Orchestration

In Microsoft Azure, Security Center  connects various security tools, disparate security systems, Azure Virtual Appliances and essential logging. In Security Center, you can define policies according to risk level and type of data classification and sensitivity of the data.

If above mentioned Virtual Appliances, Security Appliances, Key & Certificate Systems are implemented as recited best practices then Azure Security Center, and individual dashboards of the product would provide a complete (or practically acceptable) Security Orchestration solution. Later, you can always realign with your organisation’s requirement, industry and compliance specific boundaries, user access, roles and responsibilities of security actors including bots and humans. If Azure Security Center is not sufficient then you can also evaluate third party options i.e Tufin  .

Summary

Some of the above-discussed topics are a specific subject for separate article in themselves, but the scope of this series is to give a jumpstart or fast start for Microservices with Azure Service Fabric and Microsoft Azure. I have deliberately left some edge scenarios out and refrained commenting on deep domain topics, thus if you are implementing Compliance specific Microservices or advance architecture design due to nature of business or industry (i.e. BFSI) than it is recommended to rereview the recommendations based on threat perception or risk modelling.

Practical Security is the best security practice and would quote a state, “There is always something you can do extra”.

Security’s primary drivers are revenue protection (including brand protection), any material (information in any form i.e. paper or digital) could harm or put a person or organisation in any risk, protecting IP. I think good security should be innovative and step-ahead. There is no scientific theory that suggests spending more money, resources would make you more secure.