PKI is needed for micro-services


Today I want to explain why I think that for a proper micro-service software a PKI is needed.

First the problem: when you have a network application you need a way to authenticate one service to another and verify a service to another.

One way to do this is with usernames and passwords or tokens. This solution works well but there is an issue about where to store the secret data, how to deploy the secret data to all nodes in a secure way and how to revoke access to only one node.

When you are using only usernames/passwords or tokens, it is kind of a mess and you have to write everything to a config file. Revocation is not easy and needs good orchestration to avoid downtime.

PKI is a strong and standard way to have mutual authentication between two endpoints.

Managing a CA is not an easy task but the effort pays off if you care about security and you want to avoid a big spaghetti-style security approach.

Someone would say: but we can trust the source IP!
The short answer to this is: no.

The long answer is: no! no! no! no! no! no! no! no! no!

An IP address is not secure by design, the network can be manipulated quite easily with an L2 access (like one server compromised).

Also, the IP layer is not encrypted by default, so if you have to use some kind of encryption on top in your application, what’s the point of encrypting everything with a pre shared key when you can use an asymmetric layout?

I hope I’ve made my point and that you will use PKI for your next micro-service application.