DevSec For Scale Podcast – Microservices Authentication & Authorization w/ Yuval Yogev, Sygnia

In this episode of the “DevSec for Scale” podcast, Jeremy Hess interviews Yuval Yogev, Chief Architect at Sygnia, a cybersecurity company specializing in incident response and threat hunting. Yuval highlights the different types of authentication and authorization use cases that growing startups often encounter, including user logins, machine-to-machine communication, and external API interactions. He emphasizes the unique challenges posed by machine-to-machine interactions, where traditional user-based authentication methods like MFA are not applicable.

Yuval provides an overview of his role at Sygnia and the company’s focus on cybersecurity. Sygnia engages with clients experiencing significant security crises, such as ransomware attacks, as well as those seeking proactive threat detection. The company leverages its XDR platform to collect and analyze diverse data sources, aiming to detect anomalies and suspicious behaviors that indicate potential threats. By correlating data from various sources, Sygnia constructs detailed timelines of attacks, helping clients understand the progression and impact of security breaches.

Discussing the complexities of microservices architecture, Yuval explains the security challenges associated with authentication and authorization in such environments. Microservices necessitate handling authentication and authorization independently within each service, which can introduce significant complexity. He mentions JWT (JSON Web Tokens) as a useful tool for managing authentication in microservices, due to its ability to be verified independently and carry necessary data. Yuval also addresses the need for careful management of inter-service communication protocols and the importance of avoiding single points of failure.

The conversation then shifts to Sygnia’s migration towards a multi-tenancy architecture. Yuval outlines the reasons why many startups initially adopt single tenancy, such as avoiding the “noisy neighbor” problem and simplifying deployment and upgrades. However, as companies grow, multi-tenancy becomes more appealing for its cost efficiency and ease of management. Yuval discusses the security concerns that arise with multi-tenancy, including the need for robust separation of tenant data within shared databases and the implementation of network policies to prevent unauthorized inter-tenant communication.

Yuval concludes with practical advice for developers in smaller organizations. He stresses the importance of adopting security best practices without disrupting core business operations. His key recommendation is to “buy, don’t build” when it comes to security solutions. By leveraging established, compliant security products, startups can focus their resources on building their core offerings while ensuring robust security measures are in place. This approach allows companies to benefit from the expertise and reliability of specialized security providers, reducing the risk of vulnerabilities due to in-house solutions that may not be as thoroughly vetted.