IBM Security Verify

 View Only
Expand all | Collapse all

Securing east-west traffic with IAG in microservice architecture

  • 1.  Securing east-west traffic with IAG in microservice architecture

    Posted Sun January 09, 2022 12:35 PM
    Edited by Øyvind Bergerud Sun January 09, 2022 12:36 PM
    We use IAG as API gateway inside the kubernetes cluster, and ISVA (OIDC) as identity provider, to secure north - south traffic from enduser.
    IAG is forwarding the identity from the end-user to the application with JWT. Each application is validating this JWT with code.

    Our kubernetes environment is set up with linkerd as  zero trust service mesh, and mTLS between components.
    This ensures  only authorized  applications are able to communicate with  eachother.

    What is the recommended pattern for identity propagation between microservices, and authorize east-west traffic?
    We have aroind 300 microservices, so traffic out of the cluster for each request will be expensive.

    As I see it there are multiple options:
    1) Traffic between app1 authenticate to iag on app2 using jwt bearer token (from IAG header)?
    2) Same as above but with session cookie, session shared in redis
    3) App1 bypass iag and let app2 do jwt validation/authorization
    4) Some other best practice

    microservice


    ------------------------------
    Øyvind Bergerud
    ------------------------------


  • 2.  RE: Securing east-west traffic with IAG in microservice architecture

    Posted Mon January 17, 2022 03:19 AM
    The JWT obtained as part of the north-south traffic is not the JWT for east-west traffic.
    There are a number of patterns to secure east-west traffic but they have a number of common elements.
    - Use a STS (often component of IDP or Authorization server) to obtain the JWT (E/W) tokens 
    - use a JWT token to carry the identity of the calling microservice, or use the JWT token the identity of the end user or system that initiated the request.
    The JWT can also be used to propagate identity attributes between multiple trust domains.
    A API gateway (in your case IAG)  secures the N/S traffic and delivers a JWT token to microservices 1.
    Microservice 1 calls a STS (ISVA ) to obtain tokens for interaction with Microservice 2 (E/W traffic)
    Similar patters are used in SPIFFE : https://spiffe.io/docs/latest/spiffe-about/overview/  . 

    Hope this helps

    Kind regards
    Serge Vereecke
    IBM Security

    ------------------------------
    Serge Vereecke
    ------------------------------