The Expanded Attack Surface of Microservices
A monolithic application has one entry point. A microservices architecture has dozens — each service exposes its own API endpoints. Securing this distributed mesh requires a fundamentally different approach than traditional perimeter security.
Mutual TLS (mTLS)
Standard TLS authenticates the server to the client. Mutual TLS (mTLS) authenticates both parties. Every service must present a valid certificate before communication is allowed. This prevents a compromised internal service from making unauthorised calls to other services.
# Kubernetes: enforce mTLS via Istio PeerAuthentication
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT
API Gateway as Security Perimeter
All external traffic should enter through a single API gateway that handles authentication, rate limiting, and input validation before forwarding requests to internal services.