Reducing Microservices attack surface to that of a Monolith

Updated: May 21

Modern cloud-native and micro-service oriented architectures give developers the ability to test, iterate, and release applications and microservices at a lightning-fast speed. This has led to customer-centric products and higher topline for the companies.




Fig: Monolith Application converted to a microservice


However, this rapid shift to microservices running on cloud-native apps has led to security heartaches. Microservices have a large attack surface as compared to monolith applications. Microservices communicate via API, i.e., what used to be internal function calls are now network calls. Also, developers are continually releasing features and updates that might change how APIs communicate. Finally, developers focus on velocity and are continuously being pushed by business stakeholders to hit release milestones. When the security team tightens up security, it generally breaks the application and slows down the development process. This leads to a circular firing squad formation between business stakeholders, developers, and the security team - not the desired state. Cloud providers like AWS, GCP, and Azure natively address some of these issues. But the security knobs are applied in many different places, which makes it very complex to use and manage. Moreover, each of the providers implements security differently, making multi-cloud, although aspirational yet very hard to achieve. As a result, application breaches galore and leads to constant heartache for security teams.


Araali is a security solution focused on both technology and process front. Araali automatically detects and creates whitelisted policies to constrain east-west communication between microservices running on VM, containers, or Kubernetes. The app appears like a monolith for security and risk posture once the east-west is completely locked down. When done in a deterministic way, none of the system functionality is lost, and nothing breaks. Also, the policies are portable and discovered in CI/CD and used in any cloud. This lets enterprises run Araali secured apps on any cloud with the same policies and security posture.

Fig: Araali constrained app communication


Once the East-West communication is locked, what’s left is ingress and egress from the app. Traditionally the discussion between dev and sec where they aligned on ports to open, who comes in and goes out. Araali formalized this DevSec interaction by creating workflows with automatically generated policies, which can be discussed and accepted on a per-app basis. Security gets a good handle on what’s coming in and what’s going out, and dev feels liberated as they can leverage Araali workflows to take care of security. As new apps are released, or apps churn to get dev and sec quickly aligned on tight security using Araali workflow.


In summary, Araali reduces risk by tightening microservice to appear like a monolith. Araali brings governance by formalizing the relationship between DevSec through automated workflows to give more control to security and relief to dev teams. It is done in an automated fashion to reduce friction and cost of ownership.


32 views