Drawing a moat and protecting one's castle with high walls - that's how IT security used to be. But dark castles are long gone and the paradigm shift in IT security is also in full swing: away from the old castles to the user-friendly hotel. Away from large applications, towards agile microservices and microgateways.

Like a modern, professional hotel: this is how web services and IT security must be today. From the sofa, the guest identifies himself to the digital concierge and receives his personal radio key from him. With this time-limited access card, they can not only enter the hotel day and night. The key is checked again and again at numerous points in the hotel without the guest even noticing: the access controls at the room door, at the minibar or when entering the breakfast buffet are practically invisible - as long as the authorization is correct. This allows the hotel to control access in a fine-grained way and at the same time personalize the experience - depending on the booking, status and preferences of the guest. After all, the consumer is spoiled: the Big 5 (Google, Apple, Facebook, Amazon, Microsoft - GAFAM) set the standard for customer expectations today. Companies that cannot keep up here will soon lose out.

Consistent security experience through upstream identification

A good customer experience must be consistent and simple. For security issues like authentication and access control, this means: solve once and reuse. Developers should not have to worry about passwords or 2FA. The upstream authentication is a standard service that is as far as possible decoupled from the applications. A super concierge, so to speak, who knows every guest and can serve them all at the same time. This way, the guest always has the same contact person and a uniform customer experience.

Central identification, distributed access control

Authentication in the form of identity services is best provided centrally. This relieves the application developers and increases both security and flexibility. For example, the login method can be adapted centrally without having to change all applications individually. Access controls, on the other hand, are as widely dispersed and decentralized as hotel services. IT architectures are also increasingly distributed and changing dynamically: monolithic web applications are being replaced by countless microservices, where data and applications are scattered and accessible from everywhere. Automatic scaling and the rolling out of new versions mean that new containers are constantly being launched. With the increasing complexity, a system is quickly forgotten; the comprehensive protection of sensitive data becomes a challenge. Access control must therefore shift from the outer perimeters towards the individual services. Instead of blind trust, the hotel guest is continuously but unobtrusively controlled.

Heterogeneous IT structures: With microservices and zero-trust architecture

It is most efficient and secure if these controls do not take place in the application itself, but in a microgateway directly in front of it. To be more precise, in many microgateways: if zero trust is implemented consistently, each (micro-) service has its own microgateway. Here, too, the decoupling and reuse of security checks accelerate development. Indirectly, microgateways ensure faster prototyping and the uncomplicated launch of new offers.

Microgateway: The success factor for agile IT security

Microgateways are highly efficient and can be implemented quickly and in a resource-saving manner. Technically, a microgateway is essentially a reverse proxy that filters the data traffic passing through and checks the access key (e.g. in the form of a JWT token) for each request. Depending on the type of data traffic, the microgateway acts as a web application firewall or as an API security gateway. Thanks to simple automation and optimization for orchestrated container environments, microgateways are a key element of any DevSecOps initiative.

Discover Airlock Microgateway

Twice the impact

Despite the many microgateways, the central security gateway is not yet obsolete. The role of the gateway at the periphery of the corporate network is changing to ensure basic protection. Every security expert preaches that double is better. This role adjustment will not happen overnight and there will be a transitional phase in which not all applications have their own microgateway. Often, there will be purchased applications in addition to the self-developed applications, which will continue to be protected centrally. Nevertheless, with each application that uses a microgateway, the configuration of the central gateway becomes easier and less complex.

Access management can be another reason why a central gateway has great advantages. In modern systems, it is increasingly common to use different identity providers to authenticate users. The administration and integration of the different identity providers is usually done in the Identity and Access Management (IAM). The IAM checks all external tokens and then issues a single, internally valid token. This simplifies the task for each microgateway because all microgateways only have to support one type of token. It relieves the application developers because the integration of new identity providers and the adaptations for existing ones are solved in the central IAM service. This transformation of external identities into an internally valid token is enforced by the central gateway directly at the periphery.

Intelligent security: bringing together what belongs together

Conclusion: Business processes and software development are becoming increasingly agile. IT security must keep pace to avoid becoming a brake. There is no way around DevSecOps methods, which can best be implemented with microservices, microgateways and a zero-trust architecture. But this shift to an agile security culture does not happen overnight and the subsequent result is not a simple black and white. Because truly high-performance security is always tiered security: with an API security gateway to protect APIs, with a reliable IAM system for the central authentication processes and with microgateways that ensure the fine-grained filtering of requests and the security of the specific microservice or application.

Airlock Microgateway: Try-Before-You-Buy

Better than many words: Test the Airlock Microgateway now for free and use the basic functionality free of charge. However, advanced security functions are reserved for the premium version. This includes, for example, checking and enforcing OpenAPI interface descriptions.

Try Airlock Microgateway

Blognews directly to your inbox

The Airlock Newsletter informs you continuously about new blog articles.

Subscribe blognews

Comments 0

Write comment

Comments closed

Information for you

-Our whitepapers-

Visit us at it-sa!

From 8 to 10 October you can visit us at the it-sa, the largest IT security event in Europe. Learn the latest news about application security, API security, access management and cloud security. In our congress on 9 October you can learn in many further lectures how you should turn your IT security from a spoilsport to an accelerator of your digitization projects.

Register now and get a free ticket

Study Application and API Security 2022

In a recent study in cooperation with CIO, CSO and COMPUTERWOCHE, Ergon Airlock looked at application and API security in the container environment.

Request study

Zero Trust is a journey

The digital transformation of the world continues to progress, and it is profoundly affecting private life and job profiles in a manner that was hard to imagine just a few years ago.

This whitepaper covers the effects of continuous digitization and its implications.

Request free of charge

Toward DevSecOps

In this whitepaper, you will learn the most important insights into how you can successfully and efficiently implement DevSecOps, which security components are required for this, and what benefits a microgateway architecture brings.

Request free of charge

Airlock 2FA - Strong Authentication. Easy.

The two-factor authentication in the area of IT security offers double the security.

Find out more about strong authentication and the possibilities that Airlock offers in our whitepaper.

Request free of charge

Further whitepapers

We provide whitepapers on these and other topics free of charge:

  • successful IAM projects
  • Compliance
  • Data protection (GDPR)
  • Introduction of PSD2
  • PCI DSS requirements
Request free of charge