Overview of the MicroPerimeter™ Security

The Cloudentity MicroPerimeter™ Security is a platform that secures:

  • Legacy applications
  • Microservices,
  • APIs,
  • Workloads
  • Smart devices in hybrid-cloud environments

Traditional security requires large complex gateways or firewalls on the edge of the network, losing visibility between services (East/West traffic). Such solutions are failing in providing unique identities for zero trust networks to every instance of every service.

Cloudentity’s MicroPerimeter™ Security provides service-to-service identity, API security and fine-grained authorization for the protected services by sitting as close to the service as possible.

The MicroPerimeter™ Security encapsulates the protected service, securing intra-service communication and communication with legacy applications by providing a native layer of security and visibility to the applications themselves. To secure the communications it utilizes a robust tamper-proof identity for services by enforcing extensive service validation and couples that with robust authorization capabilities that include coarse-grained micro-segmentation and fine-grained user permissions/consent.

How does the MicroPerimeter™ Security fit the security landscape?

The MicroPerimeter™ components create the comprehensive security plane that can co-exist with and augment the existing microservice data and control planes. It bridges the Identity, API security, and microservice security worlds. Providing the capability to leverage the cloud in any area your business sees fit and providing distributed security that can provide distributed applications with the PII visibility and security controls wherever required.

What does MicroPerimeter™ Security help with?

The Cloudentity MicroPerimeter™ Security Plane was created to offload complex API security, logging, and identity-related tasks from the development teams of cloud-native and legacy applications.

This relieves the software team from the burden of securing software as it talks to other software regardless of service or deployment type.

The MicroPerimeter™ Security:

  • Allows developers to focus on the creation of business features
  • Gives SecDevOps engineers the ability to make security part of the CD pipeline
  • Provides security practitioners measures to control access to services and governance for PII data
  • Provides CISO’s immutable policies that protect applications from threats while providing adherence to PII based regulations.

This performs as transparently as possible and doesn’t require developers, SecDevOps, or security practitioners to have deep knowledge about the internals of MicroPerimeter™ Security plane technology.

What are the key MicroPerimeter™ components?

The MicroPerimeter™ API & Microservice security platform is comprised of two key components described below.

The MicroPerimeter™ Edge

The MicroPerimeter™ Edge handles standards-based token translation plus authentication for requestor/user-to-service transactions and workloads. It provides each microservice in a MicroPerimeter™ Security trust-domain with the verifiable requestor and service identity context for that transaction.

This combination of user and service identity allows for comprehensive transactional security controls at the endpoint level and traceability for every step of a multi-service transaction.

Also, developers can utilize the verifiable user context within their microservices, avoiding the difficulties of implementing OAuth flows while leveraging the user identity context from any standards-based Identity or authentication provider.

The MicroPerimeter™ Sidecar

The MicroPerimeter™ Sidecar provides a localized policy decision (PDP) and policy enforcement point (PEP) for each service. The Cloudentity MicroPerimeter™ Sidecar gets automatically installed alongside each microservice container or legacy application. The Sidecar makes it possible to deploy code without requiring any changes to the microservice itself and is independent of the programming language and architecture the services are implemented in.

The MicroPerimeter™ Sidecar:

  • Manages signing/verification of keys
  • Manages policy synchronization
  • Performs authentication, authorization of all incoming requests
  • Provides visibility via Tamper-Proof audit of all identity data (user, service, and device) and clients in the transaction
  • Generates security tokens and inspection of outgoing traffic

Does it introduce any overhead?

The token signing & verification, policy enforcement, and authorization policy decisions are completely stateless and leveraged as part of the microservice. Thus, it introduces minimal latency (less than 1ms in most cases), is extremely lightweight (10 MB) and extraordinarily scalable (10,000+ conn/sec/instance)

Does the software need to be adjusted to start using it?

No. The MicroPerimeter™ Security is protected services technology agnostic and is loosely coupled with the protected services, thus the services don’t have to be adjusted to be protected by the MicroPerimeter™ Security.