Microservices Rising, Legacy Security Falling Short
August 15, 2016

Amir Sharif
Aporeto

The software industry has accelerated its shift towards microservices and has fully embraced distributed, cloud native apps. Because existing application security models were designed for a different era, they are woefully inadequate, exposing both consumers and companies. By (mis)matching where software is going with what application security has been, and as evidenced by several recent high-profile leaks, we are all at risk.

Finding their roots in the 90s, “microservices are a more concrete and modern interpretation of service-oriented architectures used to build distributed software systems.” The 90s marked the dawn of the distributed application era as it exists today. Precisely and not surprisingly, it was also the time that defined data center security with the ubiquitous use of firewalls, ACLs, NAT, etc.

Given distributed applications’ history and coexistence with erstwhile proven security methods, the central question is what has changed to render these applications less secure? The answer is feature velocity, application scalability, and shifting topology.

Microservices and DevOps have enabled companies to be faster and more agile, delivering more features in less time. One of the “features” of cloud-native applications is scalability. Take the latest app craze, Pokemon Go, and notice its download patterns from a single mirror site.


There was a 6X download demand increase from May to June and a commensurate drop in July. As the game grew (and apparently shrank) in a short time, it put tremendous stress on the underlying infrastructure because of its constantly changing topology.


Before the cloud and the elasticity of its underlying infrastructure, and before microservices and the current-day distributed applications, change was infrequent, planned for, and required proactive provisioning. Accordingly, resource usage – or rather "reservations" – were predictable and resembled a step function (see “Your Father’s Oldsmobile” in the chart above). In contrast, distributed apps like Pokemon Go have unpredictable user demand curves and seem more like a random function. As the elastic infrastructure responds to the distributed application’s need for scale by provisioning more computation, storage, and network resources, the application topology changes. These rapid changes are disproportionately (quadratically) difficult to respond to when network communications are central to application security, making this precisely a mismatch between distributed application needs and existing security methods.

Existing security methods were designed when Your Father’s Oldsmobile was in vogue and change was more predictable and less frequent. Change request submissions tickets were issued to someone, approved manually, and rolled into production slowly. A bevvy of automation tools and startups are attempting to solve this problem through automation and machine learning; however, there are real technological and operational limitations that inhibit scaling. In the process, the application and, by extension, the user is left exposed to real security vulnerabilities.

Distributed applications require distributed security and a departure from the old-fashioned world of perimeter-based or network-enforced design models.

Amir Sharif is Co-Founder of Aporeto.

Share this

Industry News

May 16, 2024

Pegasystems announced the general availability of Pega Infinity ’24.1™.

May 16, 2024

Mend.io and Sysdig unveiled a joint solution to help developers, DevOps, and security teams accelerate secure software delivery from development to deployment.

May 16, 2024

GitLab announced new innovations in GitLab 17 to streamline how organizations build, test, secure, and deploy software.

May 16, 2024

Kobiton announced the beta release of mobile test management, a new feature within its test automation platform.

May 15, 2024

Gearset announced its new CI/CD solution, Long Term Projects in Pipelines.

May 15, 2024

Rafay Systems has extended the capabilities of its enterprise PaaS for modern infrastructure to support graphics processing unit- (GPU-) based workloads.

May 15, 2024

NodeScript, a free, low-code developer environment for workflow automation and API integration, is released by UBIO.

May 14, 2024

IBM announced IBM Test Accelerator for Z, a solution designed to revolutionize testing on IBM Z, a tool that expedites the shift-left approach, fostering smooth collaboration between z/OS developers and testers.

May 14, 2024

StreamNative launched Ursa, a Kafka-compatible data streaming engine built on top of lakehouse storage.

May 14, 2024

GitKraken acquired code health innovator, CodeSee.

May 13, 2024

ServiceNow introduced a new no‑code development studio and new automation capabilities to accelerate and scale digital transformation across the enterprise.

May 13, 2024

Security Innovation has added new skills assessments to its Base Camp training platform for software security training.

May 13, 2024

CAST introduced CAST Highlight Extensions Marketplace — an integrated marketplace for the software intelligence product where users can effortlessly browse and download a diverse range of extensions and plugins.

May 09, 2024

Red Hat and Elastic announced an expanded collaboration to deliver next-generation search experiences supporting retrieval augmented generation (RAG) patterns using Elasticsearch as a preferred vector database solution integrated on Red Hat OpenShift AI.

May 09, 2024

Traceable AI announced an Early Access Program for its new Generative AI API Security capabilities.