You have me thinking. My gut tells me this is true.
For example, if you have a segmented auth service that someone gets root on, it’s possible for someone to act as anyone else, but not get the whole database if unavailable to all users.
If your load balancer gets compromised, you could cause denial of service or act as a man-in-the-middle for all requests.
If your database gets got, that’s the worst, but you generally can’t intercept web requests and other front-end facing things.
But, I’d like to play devil’s advocate here. I feel that most of these segmented architecture strategies may have negative security implications as well.
First, the overall attack surface increases. There are more redundant mechanisms, more links in the chain, probably more differing types of security/tokens/certificates that can get exploited. It also adds maintenance burden, which I believe reduces security because other priorities may get in the way if things are cumbersome.
In my examples above, a compromise of the auth service in most cases pretty much means a complete compromise of the what your system allows its highest level users to do. Which is normally a lot.
Getting a load balancer will allow an attacker to MITM if TLS termination happens there, and basically this can mean the same as in the auth service, plus XSS-type stuff.
If the service hosting the database is compromised, it’s kinda game over. Including XSS.
So what have we gained here?
A monolith hosting all of these has more or less the same consequences if compromised. However, if it’s all together, it becomes everyone’s responsibility and there are more eyes on each aspect of your application. You’re more likely to update things that need updating. Traffic can be analysed a little easier.
Just wanted to jot down some notes because I have a talk coming up and need to prepare for this question. Please prod my thinking, it would really help me out!
By no means am I the microservices guy. Im more of a self hosted person than anything and used to always be a monolith guy and would still prefer that in many situations. But now I would at least “wrap” the monolith with supplemental self hosted microservices.
But TLDR this is the logic as I understand it and the key thing. Dont cast your pearls before swine. Its basically biblical. Lol jk jk. But really put a cheap reverse proxy with a honey pot and some alerting… or even better a WAF and/or EDR then catch and isolate them when they compromise your front end and garbage honey pot before they can even move laterally internally.
The longer slightly more technical answer is a malicious actor compromises one utility they likely made a lot of noise doing it which is key to securing the assets. First a lot of malicious activity can be mitigated with a proactive WAF. There are a few free solutions here
Crowdsec WAF (ModSecurity, i think is another, working from memory could be wrong) has a decent signature detection and shared banned list. If you couple it with proper alerting you should be able to see, watch and isolate attackers in near real time. So even if they get the reverse Proxy and you messed up alerting on WAF, if you have layers of security, you still have your fall back EDR (like elk stack) alert for when proxyUser starts issuing ping commands and performing asset discovery. So you should see it days before they escalate privileges (unless 0 day or nation state etc).
They will still do damage you are absolutely right. But let’s assume a tiered microservice approach for a functioning SAAS app where you have something like pocketbase for Auth, Umami for analytics, Stripe for payments and Postgres for paid api data. Even an issue in pocketbase / Auth doesn’t necessarily mean they get all your paid api data because hopefully you have per user rate limits on postgres and backend services (should your pocketbase user even be reading or writing to your paid data tables? Additionally alerting should provide observability into admin sign ins from new /suspicious locations, or multiple other suspicious behavior such as one user signing into multiple accounts, seeking priv escalation and so on.) But the main thing, they don’t get any cardholder data and that is a huge win. In fact if you are storing cardholder data PCI compliance requires segmentation.
Additionally look at actual CVEs related to pocketbase and you will find a lot to do with OATH so in this case its simple. Disable OATH for best security. Put a WAF in front of your app using something like traefik with crowdsec or ModSecurity with an nginx reverse proxy to catch bad actors when they try to abuse your non existent OATH endpoint and ban them instantly. You catch a lot of bad actors with that trap.
Or to take it back to your first example, if I have a segmented service that is compromised. I want to catch and isolate them before they even realize they are in a rootless podman container by taking advantages of the natural footguns that any script or malicious actor would naturally stumble into. For instance if my “reverseProxyUser” or any process in that entire container uses the sudo command that is a 10/10 fire type alert. That im pretty sure you could even automatically isolate or spin down with a few scripts, something like Argo or probably even off the shelf EDR.
Is it perfect, no. Any determined actor will find a way into any system given enough time. But a layered approach like this is best in my opinion. Of course it needs modified for every system this is just one example.
You can do the same thing with a monolith and good scripting. It isnt exclusive to microservices. Its just natively built that way in the instances that I am aware of thanks to the prominence of Kubernetes really. At least I think that’s why.
Edit: i can’t type / got interrupted mid reply. Its half decent now.
You have me thinking. My gut tells me this is true.
For example, if you have a segmented auth service that someone gets root on, it’s possible for someone to act as anyone else, but not get the whole database if unavailable to all users.
If your load balancer gets compromised, you could cause denial of service or act as a man-in-the-middle for all requests.
If your database gets got, that’s the worst, but you generally can’t intercept web requests and other front-end facing things.
But, I’d like to play devil’s advocate here. I feel that most of these segmented architecture strategies may have negative security implications as well.
First, the overall attack surface increases. There are more redundant mechanisms, more links in the chain, probably more differing types of security/tokens/certificates that can get exploited. It also adds maintenance burden, which I believe reduces security because other priorities may get in the way if things are cumbersome.
In my examples above, a compromise of the auth service in most cases pretty much means a complete compromise of the what your system allows its highest level users to do. Which is normally a lot.
Getting a load balancer will allow an attacker to MITM if TLS termination happens there, and basically this can mean the same as in the auth service, plus XSS-type stuff.
If the service hosting the database is compromised, it’s kinda game over. Including XSS.
So what have we gained here?
A monolith hosting all of these has more or less the same consequences if compromised. However, if it’s all together, it becomes everyone’s responsibility and there are more eyes on each aspect of your application. You’re more likely to update things that need updating. Traffic can be analysed a little easier.
Just wanted to jot down some notes because I have a talk coming up and need to prepare for this question. Please prod my thinking, it would really help me out!
By no means am I the microservices guy. Im more of a self hosted person than anything and used to always be a monolith guy and would still prefer that in many situations. But now I would at least “wrap” the monolith with supplemental self hosted microservices.
But TLDR this is the logic as I understand it and the key thing. Dont cast your pearls before swine. Its basically biblical. Lol jk jk. But really put a cheap reverse proxy with a honey pot and some alerting… or even better a WAF and/or EDR then catch and isolate them when they compromise your front end and garbage honey pot before they can even move laterally internally.
The longer slightly more technical answer is a malicious actor compromises one utility they likely made a lot of noise doing it which is key to securing the assets. First a lot of malicious activity can be mitigated with a proactive WAF. There are a few free solutions here Crowdsec WAF (ModSecurity, i think is another, working from memory could be wrong) has a decent signature detection and shared banned list. If you couple it with proper alerting you should be able to see, watch and isolate attackers in near real time. So even if they get the reverse Proxy and you messed up alerting on WAF, if you have layers of security, you still have your fall back EDR (like elk stack) alert for when proxyUser starts issuing ping commands and performing asset discovery. So you should see it days before they escalate privileges (unless 0 day or nation state etc).
They will still do damage you are absolutely right. But let’s assume a tiered microservice approach for a functioning SAAS app where you have something like pocketbase for Auth, Umami for analytics, Stripe for payments and Postgres for paid api data. Even an issue in pocketbase / Auth doesn’t necessarily mean they get all your paid api data because hopefully you have per user rate limits on postgres and backend services (should your pocketbase user even be reading or writing to your paid data tables? Additionally alerting should provide observability into admin sign ins from new /suspicious locations, or multiple other suspicious behavior such as one user signing into multiple accounts, seeking priv escalation and so on.) But the main thing, they don’t get any cardholder data and that is a huge win. In fact if you are storing cardholder data PCI compliance requires segmentation.
Additionally look at actual CVEs related to pocketbase and you will find a lot to do with OATH so in this case its simple. Disable OATH for best security. Put a WAF in front of your app using something like traefik with crowdsec or ModSecurity with an nginx reverse proxy to catch bad actors when they try to abuse your non existent OATH endpoint and ban them instantly. You catch a lot of bad actors with that trap.
Or to take it back to your first example, if I have a segmented service that is compromised. I want to catch and isolate them before they even realize they are in a rootless podman container by taking advantages of the natural footguns that any script or malicious actor would naturally stumble into. For instance if my “reverseProxyUser” or any process in that entire container uses the sudo command that is a 10/10 fire type alert. That im pretty sure you could even automatically isolate or spin down with a few scripts, something like Argo or probably even off the shelf EDR.
Is it perfect, no. Any determined actor will find a way into any system given enough time. But a layered approach like this is best in my opinion. Of course it needs modified for every system this is just one example.
You can do the same thing with a monolith and good scripting. It isnt exclusive to microservices. Its just natively built that way in the instances that I am aware of thanks to the prominence of Kubernetes really. At least I think that’s why.
Edit: i can’t type / got interrupted mid reply. Its half decent now.