DEV Community: Jananie Perera

SPRING SECURITY

Jananie Perera — Wed, 13 Mar 2024 19:39:42 +0000

Microservices

Jananie Perera — Thu, 02 Nov 2023 19:17:32 +0000

In this article we will be discussing about the Microservices compared to the monolith architecture and the characteristics of Microservices and Microservice ecosystem.

Microservices is about the development of a larger application as a suite of modular services. each module supports a specific business goal, or we call it a business functionality. to communicate between and among the independent and separated functionalities well-defined and simple interfaces are used. the following diagram will elaborate the overall view of a microservices architecture.

Microservices are built depending on the business capabilities. this design model is called “Domain Driven Design”. as we are separately developing each microservice, we can use a suitable programming language and a data storage technique irrespective of other microservices. Each microservice is tested and deployed separately, hence faster release cycle is resulted.

Microservices are;

Highly maintainable and testable

Loosely coupled

Independently deployable

Organized around business capabilities

Owned by a small team

Monolith Architecture

monolith architecture is a singular, large computing network with one code base that couples all of the business concerns together.

change in one business capability will result in the re-deployment of whole bundle which consume a lot of time and money in testing. As the scalable unit is large only a single component scaling is not possible and the whole bunch of components should be scaled. Programming language used and data storage technique cannot be changed according to the user requirement due to high coupling with the underlayer frameworks.

Microservices Architecture

Business capabilities should be exactly same in both architectures. Thus, we are defining separate microservice for each, covering all the business capabilities. Business capabilities are system user requirements and that’s why they should not be changed in any of the architectures.

When scaling,

In monolith architecture, we have to replicate the whole bundle in the server while in the microservice architecture we can choose the scalable unit as per the requirement. Replication of a component can be done as needed.

Characteristics of Microservices

Componentization via services

Independently replaceable and upgradable units of the software are called components. We choose microservice component based on the service. Each component provides a separate independent service. Thus, it is called componentization via service. In here the major difference seen in the process of deployment. The deployment is done as a service rather than a .jar/.war file or a dill. In the world of microservices the component is not a library anymore, it is a service.

Organized around business capabilities

All the microservices are organized business capabilities or business functions. Each microservice will provide an independent business function of the system.

Samrt endpoints and dumb pipes

Pipes are only be delivering the message. The main responsibility of the pipe is reliable transmission of the message. No business logics are applied on the pipes. Business logics are only applicable at the end points, which means the microservice is the one that apply the business logic.

Decentralized governance

Choosing the right tool, best technology, suitable programming language and data storage mechanism for each solution is possible with microservice. But in each case best practices and principles should be followed.

Decentralized Data Management

Each microservice maintains an independent and separate data store for them. Each data store is coupled loosely with one another. And also they only connect with other data stores using APIs. Which means data stores do not connect directly with other data stores.

Infrastructure Automation

As we are having several micro-services we have a proper automation pipeline from compilation, deployment and scaling. Maintaing a number of microservices is different than in the monolith architecture. If we are looking forward to moving to the microservices architecture infrastructure automation is a must.

Advantages of infrastructure automation,

Ease of scaling up and down
Faster Deployment cycles
Resilient and highly available

Design for Failure

Application needed to be designed in a way that they can tolerate the failure of services.

Microservices Ecosystem

There are several components that consist of the microservices ecosystem. Those components are identified as follows,

Load Balancer
Service Discovery Server/ Service Registry
API Gateway
Central Configuration Server
Monitoring
Containerization
Centralized log analysis

Let’s dive into a brief introduction to each component.

Load Balancer

Load balancer is responsible for distributing the incoming load/ traffic among many instances of microservices. Load balancers can be seen either as client-side load balancer or server-side load balancers.

Client-side load balancing

In a client-side load balancer service registry has access to all related details about microservices. When a microservice wants to communicate with another microservice, the load balancer on the client side talks to the service registry and does the balancing of traffic on its own at the client side.

This scenario can be explained using the following diagram.

According to the diagram Microservice B has three identical instances. When Microservice A wants to communicate with Micro-service B the load balancer at Microservice A (Client Side) talks to service registry to get details about microservice B and itself decides to which instance the traffic would be routed.

Server-side load balancing

In this scenario also, three instances of microservice B and microservice A is present. Unlike in client-side load balancing here microservice A does not own its own client-side load balancer. Therefore, when microservice A wants to communicate with microservice B it has to send a request to the load balancer component. Then the load balancer component calls to the service registry and route the relevant details about microservice B. then only the load balancer decides to which instance the traffic be routed.

The following diagram shows the server-side load balancing.

_Service Discovery Server/Service Registry
_
Instead of manually keeping a track of the deployed microservices, their hosts and ports, Service discovery functionality or the service registry allows microservices to self-register themselves at startup through APIs.

Though in monolith architecture it is possible to maintain a document about microservices, their ports and all that, In microservices architecture having a dynamically changing architecture maintaining documentation is not possible.

With the service discovery functionality, microservices can update themselves about alterations of their nodes, and IS to the service registry.

API Gateway

In monolithic architecture a single endpoint is there to access all the other services. But in the microservices architecture several endpoints are present. To access those multiple end points while maintaining the uniformity in the architecture API gateways have been deployed. Those API gateways are required to handle and route the requests to the relevant endpoints. To maintain the high availability in the system several API gateways can be deployed.

Central Configuration Server

The central configuration server can be used to apply the configurations to all the microservices at once instead of changing them one by one. At the startup of the microservice the central configuration server requests the configurations of the particular service and keeps a track record of that. If there are any alterations to the configurations, the central configuration server can be modified, so that the other microservices can easily access the updated configurations of a particular microservice.

Monitoring

In monitoring a single server monitors how each microservice is performing. Unlike in the monolith architecture monitoring is quite complex in microservices architecture, thus a single monitoring server is required.

Containerization

Application along with all the dependencies are packaged as a single container. So the container can run itself wherever it is. container runtime or the container orchestrater is enough. Container orchestration is automatically provision, deployment, scaling and management of containerized applications.

_Centralized log analysis
_
Centralized log analysis is used for troubleshooting purposes. A central component collects all the log details about each microservice for easy reference.

Circuit Breaker

Circuit breaker involves in maintain the high availability of the whole application.

_In this article we discussed about the microservices architecture, microservices architecture compared to monolith architecture characteristics of microservices and microservices ecosystem. Microservices architecture is not the absolute best solution for any software project. The architectural design should be chosen depending on the user requirements, performance, security, scalability deployment strategy and all that.

Stay tuned for the next...
Thank You_

IDENTITY AND ACCESS MANAGEMENT

Jananie Perera — Thu, 02 Nov 2023 17:57:25 +0000

Have you ever heard of the concept of Identity and Access Management? Here is a brief introduction to Identity and Access Management and to its main components.

IAM which stands for Identity and Access Management mainly consists of

Identity Management
Access Management

Under Identity Management user is authenticated whether s/he is a legitimate user to the system while under Access Management logged users are granted with necessary privileges to user the system. When considering why we need an IAM it is mainly because of an IAM could prevent inside threats. As per the statistics 60% of internal threats are caused by organizational users while 10% of them are caused by partners and vendors.

Product/Service Components of an IAM

Authentication
Authorization
User Management
Directory Services

When implementing all the four components should be implemented.
Let’s look at each component separately.

Authentication

Under the process of authentication, it tries to verify the identity of the user. For this verification process session and token management, password management, Multifactor Authentication (MFA) can be used.

Password Management – The users who have access to several different environments, tend to use same password for every environment. In such situations, a single sign-on master password can be allowed which gives access to other environments also. So that one login allows all the other logins. The fact that says one strong password is better than ten weak passwords concept has been applied here.

Multi-factor Authentication – MFA is used to validate a user whether s/he is a legitimate user using two or more factors. In MFA combination of something you have, something you know and Something you are criteria are used.

Authorization

Under authorization a legitimate user is specifying with the right access/privileges to the system. Under proper authorization un-authorized access to the system will be prohibited and data integrity will be secured. To specify the legitimates access,

role-based access granting
rule-based (IP) based access granting
privilege-based access granting

mechanisms can be used.

Privilege based authorization – A Privilege Access Management (PAM) will help in controlling users and their privileges. But we cannot control the activities of a particular user. Here we can user time-based privileges for the user to control their actions. In time-based privilege the users are granted with specific privileges only for a specific time-period.

User Management

Under user management, what a specific user can do is controlled. This component ensures that the user is having only what is needed. Not the unnecessary privileges. For the purpose of user management, the following steps can be taken.

Provisioning
User and role management
Password management
Self-services
Delegated administration

For the purpose of user management, under user profile management, policy base profiles can be created. The user profiles that are created under policies can also be managed with password which can be identified as a self-service to the user. The created user profiles are then being assigned to a group profile where a specific user profile can inherent the authorities. But with this group profiles a user may misuse his/her authorities. As a solution for this command level restrictions can be assigned. With the command level restrictions need of higher-level authorizations and real time alerts for dangerous tasks can be implemented.

Directory Services

A directory service is a database that stores information about users, devices, and resources. Library object access, IFS access and File share access are identified as the main components in directory services. One of the major concerns in here is attackers target IFS to spread the ransomware/ malware. Therefore, Auditing and Reporting is a key component in IAM solution.