Securely communicating user identity and authorization across calls between microservices, especially in multi-cloud environments is an important problem, and it is critical to solve this using open standards to ensure interoperability.
The Story So Far
A particularly dangerous class of attacks involves attackers being able to compromise the “virtual private cloud” (VPC) of an organization. This is getting increasingly common, and could happen through software supply chain attacks or privileged account compromise. In such cases, the potential for damage is tremendous, since the attacker can invoke microservices belonging to an organization, impersonate any user, and take any action on their behalf.
Since SGNL published the blog post “Why We Need an RPC Security Standard”, SGNLers Erik Gustavson and I (Atul Tulshibagwale) have had numerous discussions with key players in the industry to discuss how a standards based approach is important to address this problem.
Over the past few months, a few of us from organizations like Microsoft, Amazon Web Services, Okta, MITRE, NSA, SGNL and others have been meeting as a group to arrive at a charter for this work, and recently we shared this charter with the IETF OAuth Working Group. We will be discussing potential solutions at the IETF 115 meeting next week.
While internet services today provide APIs for being accessed from front-ends and API clients, each such API call results in a call chain that may involve numerous microservices. Furthermore, these microservices may be distributed across on-premise and multiple cloud platforms.
In such microservice architectures, efforts like SPIFFE have focused on ensuring there is a “caller ID” for services calling each other. However, there are a few gaps that still need to be addressed:
- How can we ensure that the identity of the principal (user or robotic) initiating the call is securely communicated through the call chain?
- How can we ensure that the authorization scope of the call is limited throughout the call chain?
- How can we ensure that the call chain information itself is securely available to any microservice receiving the call?
- How can we ensure that all this works regardless of where the microservice runs, i.e. on-premise, or in various cloud platforms
- How can we ensure that all this works for synchronous and asynchronous calls?
The charter document here captures this problem description accurately. We look forward to discussing proposals to address these questions at the IETF 115 meeting in London next week. We would love to get more participation in these discussions, and you could attend these meetings in person or remotely.
Subscribe to the SGNL blog to get updates as we discuss ideas to standardize FTA.