Posted: 14 Jul. 2023 5 min. read

Cyber Academy Blog Series:

Microservice to monolith - what security implications should you look out for?

In the fast-paced world of digital transformation, staying ahead of the competition requires adaptability, performance, security, and scalability. The architecture design decisions you make form as the foundation to the benefits your business can realise in its digital ecosystem.

Traditional monolithic architecture, whilst functional, has typically been thought to impede scalability. A paradigm shift over the last 8 years has been the transition to microservices and has become increasingly popular among tech giants, start-ups, fin-techs, and media businesses.

Migrating from a monolithic architecture to microservices has typically come with the perception of a transformative improvement journey. It brings modularity, scalability, fault isolation, and team autonomy to respond quickly to market changes and deliver value faster.

However, organisations (most recently in tech-media) are rearchitecting their microservices, to monolithic.

Why? – teams are beginning to realise huge reductions in infrastructure cost and in some cases, performance and scalability improvements. Technology evangelists and architects are reconsidering bringing parts of their solution design back to monoliths to optimise cloud spend and improve customer experience.

If you’re weighing up similar decisions, one of the questions front-of-mind is; does rearchitecting make you more or less secure?

The short answer:

It depends.

The long answer:

Monoliths bring simplicity and centralization whereas microservices require isolation and granular controls. Taking a closer look, the key differences are in complexity, attack surface, and methods to manage vulnerabilities and security controls.

1. Simplicity / Complexity: Monolithic architectures are typically simpler due to a single codebase, application, and database. It can theoretically be easier to design security measures across the entire application.

With distributed tech (microservices), complexity is higher due to decoupled services leading to more endpoint and API integrations. Complexity doesn't necessarily mean less secure. The agility and flexibility gains from microservices helps address new and changing security requirements. The higher volume of interconnected components and dependencies introduces additional risk and challenges if proper data protection, monitoring, testing, and vulnerability management practices are not in place.

2. Attack Surface: With a monolith, there are typically fewer entry points for potential attacks, less integrations and tightly coupled components. The reduced attack surface can imply monoliths are more secure however, vulnerability exploitability puts the entire application at risk. A successful attack can have a catastrophic impact on the application functionality and data.

Microservices offer improved isolation, but only if logical separation across the network and infrastructure is done correctly. If one microservice is compromised, the attacker's access can be contained to that specific service, reducing lateral movement to sensitive functions and data. Ignoring segregation is a cocktail for disaster.

3. Security Controls: In a monolith, security controls (e.g., authentication, authorization and access control) can be implemented centrally to the application. Centralisation makes compliance and audit exercises more straightforward since there is a single application to assess.

The decoupled nature of microservices means each service can have its own set of security controls. Authentication, authorization, and access control mechanisms are tailored, or dependant on another service. You can secure-at-design by segregating services by sensitive data, functionality, and limiting privileges.

4. Vulnerability Management: The quality of vulnerability scanning doesn't necessarily change. Vulnerability remediation via security patches / updates in monoliths may require wholescale application changes, which becomes time-consuming and resource intensive.

However, due to complexity you will notice a higher volume of vulnerabilities identified with microservices as your scanning more endpoints. Individual components are updated independently, allowing for faster security updates and a reduction in the vulnerability exposure window.

Securing microservices is high-effort / high-reward; time, resources and skills are hurdles to overcome to achieve fast deployments of services safer and sooner.

What Next?

Microservices work at scale, but whether to use them over monoliths has to be made on a case-by-case basis. What doesn’t change are the things you do to keep yourself secure; that’s understanding your architecture and applicable security controls to mitigate misconfigurations and vulnerabilities.

End-to-end solution threat modelling is your strongest ally when navigating architectural change.

Transitioning between monolithic and microservice architectures doesn't make you less secure - it just requires a different approach.

Are you considering all security implications when redesigning digital services? Don't leave your digital ecosystem to chance – reach out now and find out how we can help you move towards optimized performance, scalability, and peace of mind.

Key Contacts

Susie Sharawi

Susie Sharawi

Partner

Susie Sharawi has worked within the Private sector and specialises in Secure Digital Transformation and Cyber Mergers and Acquistions. She has successfully led in several cyber security domains, all of which are underpinned by strong communication and behavioural change to embed capability. She has supported clients proactively to define Cyber Maturity capabilities including developing/transitioning cyber operating models to provide an appropriate coverage and support to the business Implemented cyber managed solutions for global clients Defined and implemented Identity Access management solutions both for the Enterprise and Customer Developed investment cases for cyber initiatives which are aligned to business transformation and business imperative Developed secure by design services for software engineering teams Led sell side/buyside due-diligence and post-acquisition services Led global cyber incident response services and recovering businesses safely to prevent security re-infection. Trained C-Suite executives on Cyber essentials and ran several incident response preparedness exercises.

Roupe Sahans

Roupe Sahans

Senior Manager

Roupe is a Senior Manager at Deloitte and leads DevSecOps transformation activities for organisations embracing digital transformation. He works with engineers to c-suite executives in a variety of cyber roles to design, implement, assesses and manage innovative security solutions for clients across all industry sectors.

Giles Houghton

Giles Houghton

Partner

Giles is a Partner in the Cyber Risk practice at Deloitte UK. Giles has spent 20 years working predominantly with defence, national security and law enforcement organisations in the UK and Middle East. He is currently supporting Deloitte’s public sector clients through their Digital and DevSecOps transformations in some of the most rigorous regulatory environments.