Drawing a moat and protecting one's castle with high walls - that's how IT security used to be. But dark castles are long gone and the paradigm shift in IT security is also in full swing: away from the old castles to the user-friendly hotel. Away from large applications, towards agile microservices and microgateways.

Like a modern, professional hotel: this is how web services and IT security must be today. From the sofa, the guest identifies himself to the digital concierge and receives his personal radio key from him. With this time-limited access card, they can not only enter the hotel day and night. The key is checked again and again at numerous points in the hotel without the guest even noticing: the access controls at the room door, at the minibar or when entering the breakfast buffet are practically invisible - as long as the authorization is correct. This allows the hotel to control access in a fine-grained way and at the same time personalize the experience - depending on the booking, status and preferences of the guest. After all, the consumer is spoiled: the Big 5 (Google, Apple, Facebook, Amazon, Microsoft - GAFAM) set the standard for customer expectations today. Companies that cannot keep up here will soon lose out.

Consistent security experience through upstream identification

A good customer experience must be consistent and simple. For security issues like authentication and access control, this means: solve once and reuse. Developers should not have to worry about passwords or 2FA. The upstream authentication is a standard service that is as far as possible decoupled from the applications. A super concierge, so to speak, who knows every guest and can serve them all at the same time. This way, the guest always has the same contact person and a uniform customer experience.

Central identification, distributed access control

Authentication in the form of identity services is best provided centrally. This relieves the application developers and increases both security and flexibility. For example, the login method can be adapted centrally without having to change all applications individually. Access controls, on the other hand, are as widely dispersed and decentralized as hotel services. IT architectures are also increasingly distributed and changing dynamically: monolithic web applications are being replaced by countless microservices, where data and applications are scattered and accessible from everywhere. Automatic scaling and the rolling out of new versions mean that new containers are constantly being launched. With the increasing complexity, a system is quickly forgotten; the comprehensive protection of sensitive data becomes a challenge. Access control must therefore shift from the outer perimeters towards the individual services. Instead of blind trust, the hotel guest is continuously but unobtrusively controlled.

Heterogeneous IT structures: With microservices and zero-trust architecture

It is most efficient and secure if these controls do not take place in the application itself, but in a microgateway directly in front of it. To be more precise, in many microgateways: if zero trust is implemented consistently, each (micro-) service has its own microgateway. Here, too, the decoupling and reuse of security checks accelerate development. Indirectly, microgateways ensure faster prototyping and the uncomplicated launch of new offers.

Microgateway: The success factor for agile IT security

Microgateways are highly efficient and can be implemented quickly and in a resource-saving manner. Technically, a microgateway is essentially a reverse proxy that filters the data traffic passing through and checks the access key (e.g. in the form of a JWT token) for each request. Depending on the type of data traffic, the microgateway acts as a web application firewall or as an API security gateway. Thanks to simple automation and optimization for orchestrated container environments, microgateways are a key element of any DevSecOps initiative.

Discover Airlock Microgateway

Twice the impact

Despite the many microgateways, the central security gateway is not yet obsolete. The role of the gateway at the periphery of the corporate network is changing to ensure basic protection. Every security expert preaches that double is better. This role adjustment will not happen overnight and there will be a transitional phase in which not all applications have their own microgateway. Often, there will be purchased applications in addition to the self-developed applications, which will continue to be protected centrally. Nevertheless, with each application that uses a microgateway, the configuration of the central gateway becomes easier and less complex.

Access management can be another reason why a central gateway has great advantages. In modern systems, it is increasingly common to use different identity providers to authenticate users. The administration and integration of the different identity providers is usually done in the Identity and Access Management (IAM). The IAM checks all external tokens and then issues a single, internally valid token. This simplifies the task for each microgateway because all microgateways only have to support one type of token. It relieves the application developers because the integration of new identity providers and the adaptations for existing ones are solved in the central IAM service. This transformation of external identities into an internally valid token is enforced by the central gateway directly at the periphery.

Intelligent security: bringing together what belongs together

Conclusion: Business processes and software development are becoming increasingly agile. IT security must keep pace to avoid becoming a brake. There is no way around DevSecOps methods, which can best be implemented with microservices, microgateways and a zero-trust architecture. But this shift to an agile security culture does not happen overnight and the subsequent result is not a simple black and white. Because truly high-performance security is always tiered security: with an API security gateway to protect APIs, with a reliable IAM system for the central authentication processes and with microgateways that ensure the fine-grained filtering of requests and the security of the specific microservice or application.

Airlock Microgateway: Try-Before-You-Buy

Better than many words: Test the Airlock Microgateway now for free and use the basic functionality free of charge. However, advanced security functions are reserved for the premium version. This includes, for example, checking and enforcing OpenAPI interface descriptions.

Try Airlock Microgateway

Blognews directly to your inbox

The Airlock Newsletter informs you continuously about new blog articles.

Subscribe blognews

Information for you

-Our whitepapers-

Executive View: KuppingerCole - Airlock Secure Access Hub for applications and APIs

This KuppingerCole Executive View report provides an architectural and functional overview of the Airlock Secure Access Hub, an integrated platform for secure access management - a multicloud-native security tool for web applications, APIs and beyond.

 

Fill out the form now and receive Executive View!

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge