4 Best Practices for Microservices Authorization

There are unquestionable advantages to cloud native technologies, but significant challenges as well. Case in point: microservices authorization.

For many companies, microservices have become the architecture of choice for cloud native apps — whether for migrating legacy apps or building new cloud native applications. Contrary to traditional, monolithic applications, a microservice architecture means that each app is composed of dozens or hundreds of individual services, each with its own set of APIs.

In a microservice architecture, developers are in the tricky position of securing not just a single external API gateway, but each individual microservice API with a secure authorization step. Indeed, a core tenet of a zero-trust architecture is that every request must be both authenticated and authorized.

For developers and security teams, the thought of implementing authorization for every microservice call can seem daunting. Fortunately, there are a number of best practices to get you on your way — and standardize on a scalable process across teams.

Decouple Authorization Logic and Policy from the Underlying Microservice

This is the big one. Simply, the most powerful step that teams can take in authorization is to decouple authorization logic and policy from the application itself — that is, refrain from hardcoding authorization logic into microservices. This allows teams to easily change authorization coding for policies without changing the coding for the app.

Even better: Standardize your authorization on a tool like Open Policy Agent (OPA), which allows you to create and enforce policies consistently across services and teams. Because OPA is so flexible, this also grants you a wide range of options for how you actually architect authorization enforcement and where you store policy libraries within the app.

Read More