The Cloudentity MicroPerimeter™ Edge
is a lightweight, standalone security proxy to provide enforcement, authorization and API publishing functionality. The Gateway handles non-functional requirements (e.g. authentication, authorization, brute-force protection etc.) on behalf of upstream services. By applying and enforcing rules from the TrustEngine™, each incoming request and outgoing response may be subject to custom transformation performed by configurable plugins.
Introduction
Cloudentity MicroPerimeter™ Edge Gateway provides the dividing line between the Client (such as a Browser, Mobile App, Other 3rd party services) and the trusted mesh of services, microservices or applications that are deployed on prem, cloud, hybrid or multi-cloud environments.
Cloudentity MicroPerimeter™ Edge Gateway was designed and implemented to provide following capabilities on behalf of protected services.
-
API endpoints publishing: Either manually add verbs and paths or upload a specification such as Swagger
-
Authentication orchestration and client authentication: Callouts, roadblocks and workflows to ensure authentication.
-
Token Validation: Request authorization and translation of the long lived client tokens (SSO, OAuth, OIDC, SAML, custom tokens) into Zero Trust JWT tokens. All communication between the Edge and the microservice is then secured directly through our MicroPerimeter™, regardless if they are hosted in the same or different datacenters or VPC.
-
Advanced authorization: The Edge API is connected directly to our AuthZ and TrUST Engine it is capable of performing advanced authorization based on complex, fine grained access policies.
Supported functionality
API endpoints publishing
The MicroPerimeter™ Edge provides a number of tools to manage, transform, and secure your API endpoints:
-
Routing: API calls can be routed to different targets based on te URI path pattern
-
Filtering and Orchestration: API endpoint level URI rewrite and the ability to assign filters/plugins both at the service level as well as the individual API endpoint level can be defined by the URI pattern matching
-
Cross Domain Support: CORS headers publishing and support
-
Header Management: Support for X-Forwarded-For, X-TrueClient-IP, Proxy VIA headers
-
Correlation ID integration: Injection as well as utilization of the external correlation id to relate transactions for full tracing
-
OpenTracing support: OpenTracing provides "Chain of Evidence" logging to associate subsequent calls into a traceable record.
-
API Specification Support: Configuration for the published API endpoints can be configured via any combination of following methods
-
JSON or YAML files
-
Consul Key-Value pair database ◦ Cloudentity Application Service
-
Authentication and Authorization
As an enforcement point, the MicroPerimeter™ Edge integrates with a wide range of protocols and tools to ensure the request is not only authorized but also secure in context of a wide range of risk and business rules.
-
Protocol Support
-
SSO cookie/header
-
HMAC API Key
-
Application specific JWT token
-
OAuth2.0 Access Token
-
OAuth2.0 Access Token with Token introspection
-
OAuth2.0 Client Credentials
-
Anonymous authentication – ability to track public request
-
-
Fallback Authorization: Edge has the ability to chain multiple authentication methods together and define the fallback scenarios Request authorization.
-
Integerated Security: Edge integrates with the Cloudentity TrUST Engine to provide following authorization capabilities:
-
Access policies based authorization that combines hybrid model for validation of the request including, but not limited to:
-
user session attribute based validation For example, the policy can check if user’s session is active, check if user’s session attribute value contains/equal/not equal to preconfigured value or if the user has specific scope or entitlement.
-
authentication methods and authentication events based validation Policies may check if user authenticated using uid/passwd vs using external SAML IDP or may check if user/client performed 2nd factor authentication in last 5 minutes — a "fail" on specified criteria may force additional Authorization such as MFA.
-
user data store attributes-based validation By calling out to the user store, the system can check any of the user’s attributes including groups/roles/permissions/entitlements contains/is equal to/ or not equal to preconfigured value. The policy may then call a fail or reauthorization.
-
consumption Device based validation By calling to the device service Edge can check if request is coming from a trusted/known device and force validation of that device.
-
IP based validation traditional blacklist/whitelist on IP address capability
-
risk level validation Based on contextual factors (eg location, time of day, device, etc.), the transaction may be higher or lower risk for specific transactions. If the user or the consumption device risk is higher than preconfigured value, Edge can block the request to force remediation of the risk.
-
header validation Enforcement policies can be set based on custom headers values injected by the trusted network infrastructure, for example a device classification header injected by Incapsula
-
-
JWT Support: Authorize access based on the JWT token signatures and content
-
OAuth/OIDC: Authorize access based on OIDC ID Token scopes and claims
-
-
Complex Policy Enforcement: Edge is able to enforce conditional, if/then/else policies as defined in the TrUST Engine
Integration with protected services
The MicroPerimeter™ Edge is able to normalize your API by transforming and managing requests to the services it protects.
-
Service Management: Ability to configure/discover the location of the protected services via
-
Consul Service discovery
-
Fixed Service registry – provided as part of the Edge API configuration (external KV or JSON flat file). Support for multiple nodes per service name to allow client based load balancing.
-
-
Service Target Management: Direct target host configuration as part of the API publishing rules
-
Load Balancing: When using Consul or Fixed Service registry, Edge is able to provide load balancing to targets
-
SMART HTTP client functionality
-
API Request retries
-
Request failover
-
Circuit Breaker support
-
Open Tracing support
-
Per service connection pooling support
-
Per service connection keep alive support
-
-
URI Rewrite: Provide backwards compatibility or consistency by rewriting the URI proxied to protected service
-
JWT Authorization Token Injection:
-
Content of the JWT can be configurable at the Service/Endpoint level
-
Content of the JWT can include any of the session/user/device attributes available in Cloudentity platform
-
Support for both symmetric and asymmetric JWTs
-
API protection
MicroPerimeter™ Edge also provides broad API protection with a number of standard features.
-
URI structure enforcement and whitelisting
-
Advanced Authorization and authentication capabilities and brute force Filter protection
-
API Throttling
-
Detailed access logs including the authentication context
-
Kafka integration
-
Ability to configured desired TLS version and ciphers
Extensibility
Edge also allows for custom policies and plugins which can be used to integrate legacy or proprietary systems as part of the standard data flow and enforcement. This could include custom callouts, complex business logic, or custom protocol/security management.
Tools and Dependencies
Dependent Products
The MicroPerimeter™ Gateway runs either as a standalone application in your environment or as part of your Microservices cluster (e.g. Kubernetes cluster).
It can be integrated with following Cloudentity Services:
-
The TrUST™ Engine is a centralized policy management service in Cloudentity Core. Although local policies can be configured, we recommend using the Service Mesh Sync to reference the TrUST™ Engine as a source of truth for all security policies.
-
The OAuth and OIDC Service enables the MicroPerimeter Gateway to accept OAuth Access and OIDC Id tokens for client authentication and authorization. It’s also possible to enable integration with 3rd party OAuth/OIDC capable Identity Providers.
-
The Cloudentity Session Grid allow the MicroPerimeter Gateway to understand and verify the Cloudentity SSO token as authentication method. It also enables the capability to inject session content into the secure JWT or headers passed to the protected services.
-
When the MicroPerimeter Gateway is integrated with Cloudentity MicroPerimeter Sidecar it enables creation of the Zero Trust Domains between the Gateway and protected services.
Notable APIs
Cloudentity provides a collection of Open APIs which are used by the platform. By making these APIs publicly available, clients are able to extend and integrate other systems seamlessly into the environment. The MicroPerimeter™ Gateway consumes the following APIs.
Developer Guide
For detailed implementation and configuration, Please see the MicroPerimeter™ Edge Developer Guide