Skip to main content

Cyber Academy Blog Series:

Microservice to monolith - what security implications should you look out for?

In the fast-paced world of digital transformation, staying ahead of the competition requires adaptability, performance, security, and scalability. The architecture design decisions you make form as the foundation to the benefits your business can realise in its digital ecosystem.

Traditional monolithic architecture, whilst functional, has typically been thought to impede scalability. A paradigm shift over the last 8 years has been the transition to microservices and has become increasingly popular among tech giants, start-ups, fin-techs, and media businesses.

Migrating from a monolithic architecture to microservices has typically come with the perception of a transformative improvement journey. It brings modularity, scalability, fault isolation, and team autonomy to respond quickly to market changes and deliver value faster.

However, organisations (most recently in tech-media) are rearchitecting their microservices, to monolithic.

Why? – teams are beginning to realise huge reductions in infrastructure cost and in some cases, performance and scalability improvements. Technology evangelists and architects are reconsidering bringing parts of their solution design back to monoliths to optimise cloud spend and improve customer experience.

If you’re weighing up similar decisions, one of the questions front-of-mind is; does rearchitecting make you more or less secure?

The short answer:

It depends.

The long answer:

Monoliths bring simplicity and centralization whereas microservices require isolation and granular controls. Taking a closer look, the key differences are in complexity, attack surface, and methods to manage vulnerabilities and security controls.

1. Simplicity / Complexity: Monolithic architectures are typically simpler due to a single codebase, application, and database. It can theoretically be easier to design security measures across the entire application.

With distributed tech (microservices), complexity is higher due to decoupled services leading to more endpoint and API integrations. Complexity doesn't necessarily mean less secure. The agility and flexibility gains from microservices helps address new and changing security requirements. The higher volume of interconnected components and dependencies introduces additional risk and challenges if proper data protection, monitoring, testing, and vulnerability management practices are not in place.

2. Attack Surface: With a monolith, there are typically fewer entry points for potential attacks, less integrations and tightly coupled components. The reduced attack surface can imply monoliths are more secure however, vulnerability exploitability puts the entire application at risk. A successful attack can have a catastrophic impact on the application functionality and data.

Microservices offer improved isolation, but only if logical separation across the network and infrastructure is done correctly. If one microservice is compromised, the attacker's access can be contained to that specific service, reducing lateral movement to sensitive functions and data. Ignoring segregation is a cocktail for disaster.

3. Security Controls: In a monolith, security controls (e.g., authentication, authorization and access control) can be implemented centrally to the application. Centralisation makes compliance and audit exercises more straightforward since there is a single application to assess.

The decoupled nature of microservices means each service can have its own set of security controls. Authentication, authorization, and access control mechanisms are tailored, or dependant on another service. You can secure-at-design by segregating services by sensitive data, functionality, and limiting privileges.

4. Vulnerability Management: The quality of vulnerability scanning doesn't necessarily change. Vulnerability remediation via security patches / updates in monoliths may require wholescale application changes, which becomes time-consuming and resource intensive.

However, due to complexity you will notice a higher volume of vulnerabilities identified with microservices as your scanning more endpoints. Individual components are updated independently, allowing for faster security updates and a reduction in the vulnerability exposure window.

Securing microservices is high-effort / high-reward; time, resources and skills are hurdles to overcome to achieve fast deployments of services safer and sooner.

What Next?

Microservices work at scale, but whether to use them over monoliths has to be made on a case-by-case basis. What doesn’t change are the things you do to keep yourself secure; that’s understanding your architecture and applicable security controls to mitigate misconfigurations and vulnerabilities.

End-to-end solution threat modelling is your strongest ally when navigating architectural change.

Transitioning between monolithic and microservice architectures doesn't make you less secure - it just requires a different approach.

Are you considering all security implications when redesigning digital services? Don't leave your digital ecosystem to chance – reach out now and find out how we can help you move towards optimized performance, scalability, and peace of mind.