When assembled correctly, a microservice architecture gives applications interoperation between various services, possibly hosted across different platforms. For microservices, security must be top of mind, since there’s no way to contain users as in a monolithic application.

Instead of simply allowing upfront access to a microservices-based application, development teams need to also secure and manage access for each user-facing service. However, users do not want to be challenged every time they move from one service to another. New security approaches maximize protection in a distributed architecture without inhibiting user experience.

In this tip, we review the basics of how to manage access in a distributed architecture and examine the role that token-based security plays in microservices authentication and authorization.

Authentication and authorization in microservices

The first key to unlock microservices security is authentication and authorization:

• Authentication determines who you are by validating that a particular entity is actually what it claims to be.
• Authorization regulates what you are allowed to do through assigned roles and classes that define the various permissions a user has.

With the right tools in place, an application can perform authentication once per session, while still allowing authorization to occur multiple times as a call moves from one microservice to another.

For microservices authentication, go beyond the basic challenge-and-response system, based on usernames and passwords alone. Instead, the user-facing microservice should perform multi-factor authentication (MFA), relying on a separate authentication app on a user’s device or perhaps a physical token like an RSA SecurID tag. This microservice authentication approach will also require a security token service (STS).

The history of microservices token authentication

The concept of the STS stems from service-oriented architecture, when WS-Trust became a standardized security protocol for token management. WS-Trust was originally modeled around SOAP and used languages like SAML to distribute tokens in the form of XML documents, also known as SAML Assertions.

The movement toward distributed web-app development caused software teams to look for security tokens that worked with RESTful and JSON formats. Some of the token technology that arose from this need include JSON web token and OAuth 2.0.

Security token service

STS enables clients to obtain the credentials they need to access multiple services that live across distributed environments. It issues digital security tokens that stay with users from the beginning of their session and continuously validate their permission for each service they call. An STS can also reissue, exchange and cancel security tokens as needed.

The STS must connect with an enterprise user directory that contains all the details about user roles and responsibilities. This directory, and any connection made to it, should be properly secured as well, otherwise users could elevate their permissions just by editing policies on their own. Consider segmenting user access policies based on roles and activities. For instance, identify the individuals who have administrative capabilities. Or, you might limit a developer’s access permissions to only include the services they are supposed to work on.

A basic outline of how such a system works is shown in Figure 2.

First, a user logs into an application and provides authentication details through a challenge-and-response system that is supported by MFA. Then, the STS uses information derived from the MFA to determine which token to provide the user at the start of the session. This token remains with the user throughout the session, still managed by the STS, and each service the user tries to access checks the token to allow or deny access.

Securing automated access

Not all microservices permission and security checks are based around a human user. Automated components also generate microservices access requests. Consider the rise of the internet of things, which has led to a massive growth in the use of automated devices. These devices transmit their own data across networks and access any number of services, either for data analysis or to trigger certain functions. Since many of these activities are event-driven, they have almost zero dependency on human intervention.

The above microservices authentication and authorization approaches are still valid in these scenarios, except that MFA doesn’t work for non-human components that can’t interact with end-user devices or physical tokens. In these cases, it’s best to embed any automated component that accesses your services with a unique identifier, such as an embedded serial number, that the STS can use to verify what tokens it should issue. Technologies like OAuth and OpenToken provide ways to embed these devices with unique identifiers.

The post Use tokens for microservices authentication and authorization appeared first on Artificial Intelligence.

Everything can seem right. But that’s only because the criminals are good.

A person calls to inform a consumer that his or her account had been frozen because of what was supposedly a “fraudulent transfer” or some other problem. The caller sounds professional, and might even send a text with details meant to provide confirmation and assurance. The request? Transfer funds into a new account for safety.

But that new account will be controlled by fraudsters, who will quickly steal the money – funds that might be unrecoverable by a bank or law enforcement. Such a scenario stands as a terrifying example of not only the sophistication of criminals, but also the threat of fraud in a real-time payments environment.

That threat – and how to defend against it – served as the foundation of a recent PYMNTS discussion that featured Karen Webster and two fraud prevention specialists from KPMG in the U.S. – Ron Plesco, principal of Cyber Security, and Bob Ruark, principal of Banking and Financial Services Strategy and KPMG’s FinTech leader in the U.S.

More Data

As Plesco pointed out, criminals have managed to steal credit bureau data, giving fraudsters an in when it comes to such theft. “All that info has been mined by organized crime groups and other actors,” he said. And those criminals are experts at social engineering, enabling them to con people who might be on high alert for fraud attempts. “They can convince you that they are the bank, and even the caller ID showing on your phone will say so.”

That doesn’t mean all is hopeless, of course. Education of banking customers — both commercial and consumer clients — is key to preventing such fraud and reducing the risk of further attempts, Plesco and Ruark told Webster.

The antidote? “You need layers of security,” he noted.

That might mean having banks move away from knowledge-based questions for identity validation — which criminals can figure out — to biometric authentication methods, including voice and facial recognition. In a real-time payments environment, that can also mean sending a message to the customer attempting the transaction, one that confirms the legitimacy of the other party and its payment request.

Another technology that can help banks prevent fraud and take a more proactive approach to suspicious transactions in real time is artificial intelligence (AI).

AI’s Role

As Plesco explained, such a system will flag an out-of-the-ordinary transaction — a customer moving more money than is usually the case, for instance, or transacting with a new and unknown party. You can think of that as similar to the alerts credit card companies send when a consumer uses his or her card in an unusual way (or, of course, when a criminal tests that card via an unusual transaction). “You use artificial intelligence to say ‘wow, this is out of the norm,’” Plesco said. “All of our clients are moving toward that.”

Indeed, algorithms are taking on more of the data and security work for financial institutions, with technologies such as data mining and business rules management systems (BRMS) finding popularity among banks and credit unions, according to a new PYMNTS report entitled, “The AI Gap: Perception Versus Reality in Payments and Banking Services.” However, fewer institutions have made the move to true AI, with lack of funding and even misunderstanding of the technology serving as challenges to its wider acceptance.

But AI isn’t the only necessary defense when it comes to preventing fraud in an environment where consumers and corporations want faster, even real-time payments. Friction can also play a role.

That might seem counterproductive, given ongoing efforts to take friction out of payments (and commerce) so that consumers have quick and seamless transactions. Yet there is always a balance between security and convenience, and when it comes to fraud prevention in this global and digital era, a little more security — friction — can go a long way toward making sure thieves don’t make off with consumers’ savings.

Holistic Defense

A holistic approach to fraud prevention is also needed. The marketing department, for instance, accumulates loads of data that tells how consumers visit an organization’s website, and from what locations and machines, among other information. “That’s a gold mine of how your customers interact with you,” Plesco said.

That information can then be shared across the organization. As well, the people responsible for ID and access security should work with the people responsible for fraud prevention, and vice versa. “Look at [fraud prevention] from an enterprise level, not just a business unit level,” Ruark advised.

Furthermore, fraud prevention might require what Plesco called a “hybrid” approach. That means banks figuring out which of their data sets can help them defend against fraud, and determining how to access and use that information efficiently. That means using the best parts of the legacy technology and system, and then deciding whether there is a need to combine that with new technology from vendors.

Criminals are only getting better and more sophisticated, but the right mindset can lead to better defenses — and, perhaps, fewer fraud stories about people losing their savings.

The post KPMG: How AI Defense Can Counter Faster Payments Fraud appeared first on Artificial Intelligence.