Drawing a moat and protecting one's castle with high walls - that's how IT security used to be. But dark castles are long gone and the paradigm shift in IT security is also in full swing: away from the old castles to the user-friendly hotel. Away from large applications, towards agile microservices and microgateways.
Like a modern, professional hotel: this is how web services and IT security must be today. From the sofa, the guest identifies himself to the digital concierge and receives his personal radio key from him. With this time-limited access card, they can not only enter the hotel day and night. The key is checked again and again at numerous points in the hotel without the guest even noticing: the access controls at the room door, at the minibar or when entering the breakfast buffet are practically invisible - as long as the authorization is correct. This allows the hotel to control access in a fine-grained way and at the same time personalize the experience - depending on the booking, status and preferences of the guest. After all, the consumer is spoiled: the Big 5 (Google, Apple, Facebook, Amazon, Microsoft - GAFAM) set the standard for customer expectations today. Companies that cannot keep up here will soon lose out.
Consistent security experience through upstream identification
A good customer experience must be consistent and simple. For security issues like authentication and access control, this means: solve once and reuse. Developers should not have to worry about passwords or 2FA. The upstream authentication is a standard service that is as far as possible decoupled from the applications. A super concierge, so to speak, who knows every guest and can serve them all at the same time. This way, the guest always has the same contact person and a uniform customer experience.
Central identification, distributed access control
Authentication in the form of identity services is best provided centrally. This relieves the application developers and increases both security and flexibility. For example, the login method can be adapted centrally without having to change all applications individually. Access controls, on the other hand, are as widely dispersed and decentralized as hotel services. IT architectures are also increasingly distributed and changing dynamically: monolithic web applications are being replaced by countless microservices, where data and applications are scattered and accessible from everywhere. Automatic scaling and the rolling out of new versions mean that new containers are constantly being launched. With the increasing complexity, a system is quickly forgotten; the comprehensive protection of sensitive data becomes a challenge. Access control must therefore shift from the outer perimeters towards the individual services. Instead of blind trust, the hotel guest is continuously but unobtrusively controlled.
Heterogeneous IT structures: With microservices and zero-trust architecture
It is most efficient and secure if these controls do not take place in the application itself, but in a microgateway directly in front of it. To be more precise, in many microgateways: if zero trust is implemented consistently, each (micro-) service has its own microgateway. Here, too, the decoupling and reuse of security checks accelerate development. Indirectly, microgateways ensure faster prototyping and the uncomplicated launch of new offers.
Microgateway: The success factor for agile IT security
Microgateways are highly efficient and can be implemented quickly and in a resource-saving manner. Technically, a microgateway is essentially a reverse proxy that filters the data traffic passing through and checks the access key (e.g. in the form of a JWT token) for each request. Depending on the type of data traffic, the microgateway acts as a web application firewall or as an API security gateway. Thanks to simple automation and optimization for orchestrated container environments, microgateways are a key element of any DevSecOps initiative.
Twice the impact
Despite the many microgateways, the central security gateway is not yet obsolete. The role of the gateway at the periphery of the corporate network is changing to ensure basic protection. Every security expert preaches that double is better. This role adjustment will not happen overnight and there will be a transitional phase in which not all applications have their own microgateway. Often, there will be purchased applications in addition to the self-developed applications, which will continue to be protected centrally. Nevertheless, with each application that uses a microgateway, the configuration of the central gateway becomes easier and less complex.
Access management can be another reason why a central gateway has great advantages. In modern systems, it is increasingly common to use different identity providers to authenticate users. The administration and integration of the different identity providers is usually done in the Identity and Access Management (IAM). The IAM checks all external tokens and then issues a single, internally valid token. This simplifies the task for each microgateway because all microgateways only have to support one type of token. It relieves the application developers because the integration of new identity providers and the adaptations for existing ones are solved in the central IAM service. This transformation of external identities into an internally valid token is enforced by the central gateway directly at the periphery.
Intelligent security: bringing together what belongs together
Conclusion: Business processes and software development are becoming increasingly agile. IT security must keep pace to avoid becoming a brake. There is no way around DevSecOps methods, which can best be implemented with microservices, microgateways and a zero-trust architecture. But this shift to an agile security culture does not happen overnight and the subsequent result is not a simple black and white. Because truly high-performance security is always tiered security: with an API security gateway to protect APIs, with a reliable IAM system for the central authentication processes and with microgateways that ensure the fine-grained filtering of requests and the security of the specific microservice or application.
Airlock Microgateway: Try-Before-You-Buy
Better than many words: Test the Airlock Microgateway now for free and use the basic functionality free of charge. However, advanced security functions are reserved for the premium version. This includes, for example, checking and enforcing OpenAPI interface descriptions.