Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Microservices vs. Monoliths: Which Are More Secure?
Microservices offer security advantages by isolating application components, but they also introduce complexities and vulnerabilities that may outweigh these benefits.
4 Min Read
Alamy
Are microservices more secure?
If you answered "yes" to that question, you wouldn't be wrong. In some ways, microservices architectures provide valuable security benefits.
But you wouldn't be wrong for saying "no," either. Arguably, microservices are less secure in key respects than conventional monolithic approaches to application design.
Let's dive into both perspectives on microservices security by exploring the ways in which microservices can enhance security, as well as the security challenges that arise from microservices design.
What Are Microservices, and How Do They Work?
As you may know if you've followed application development trends over the past decade, microservices are a type of application architecture that breaks functionality into discrete units. Rather than implementing an entire application as one service, using one codebase — the monolithic approach — a microservices architecture entails creating multiple, independent microservices that, when combined together, power a complete application.
Microservices have become popular over the past 10 years or so as a means of implementing more flexible and scalable applications. When you build your app as microservices, you can implement and deploy each microservice separately. This makes the development process less complicated, at least in the sense that each microservice is its own codebase and can be implemented, integrated, and tested independently of other microservices. In addition, you can deploy and update each microservice without disrupting others.
Microservices Security Benefits
Microservices are more secure than monolithic applications in the respect that a breach of one microservice won't necessarily expose your entire application to attack. This is the main security benefit that microservices provide, and it's the reasoning behind most claims that "microservices are more secure."
For example, imagine that one of your microservices contains code borrowed from an open source repository that turns out to contain vulnerabilities. Threat actors can exploit those vulnerabilities to take control of the microservice.
But depending on how the application is designed and deployed, taking control of the one microservice will not necessarily mean the bad guys can compromise the entire application. The rest of the app may remain secure.
The Security Challenges of Microservices
However, the key words in that last paragraph are "not necessarily." In some cases, a breach of one microservice could mean that your entire app (or significant parts of it) ends up hacked.
For instance, imagine the following scenarios:
Missing or improperly configured access controls allow a compromised microservice to collect data from or disrupt the operations of other microservices.
A compromised microservice is able to read and/or write data from a database containing sensitive information. This could lead to data exfiltration or a ransomware attack, even if only one microservice was compromised.
The security flaw that enables an attack lies in code or dependencies that are shared by multiple microservices. In this case, the breach will affect all microservices that use the vulnerable resource.
In these cases, a security issue that initially impacts one microservice would spread to other parts of the application. In this sense, microservices aren't necessarily any more secure than a monolithic application design.
On top of this, microservices create security challenges that wouldn't be present in most monolithic apps. The added complexity of microservices application designs increases the chances of mistakes by developers that could introduce security flaws, such as code injection vulnerabilities.
Last but not least, microservices apps often rely on additional types of tools — such as service meshes — that monoliths don't typically use. In this sense, microservices result in a broader attack surface because there are more components within the application hosting stack that threat actors could target.
Conclusion: Are Microservices Really More Secure Than Monoliths?
Arguably, the security advantages that microservices provide through their ability to isolate application components (to a degree) are outweighed by the security challenges that arise from microservices. Service isolation doesn't guarantee that an attack's impact will be limited, but microservices do guarantee that your app will be more complex to build and deploy in most cases — leading to heightened security risks.
Now, none of this is a reason to reject microservices, which provide a variety of other benefits unrelated to security. But developers should set aside any notions they may have that microservices are simply better than monoliths from a security perspective. They're mostly not.
About the Author
You May Also Like
