Service-to-Service Authentication and Authorisation
Summary
When services connect to other services in the absence of human interaction they MUST adopt a zero trust security model: "never trust, always verify".
Problem Description
We need to connect services to remote resources in situations where no human interaction is involved.
We want to ensure services are secure by design.
Solution
Services MUST connect in a way which is secure by design, specifically services:
- MUST NOT allow API calls from unrecognised sources
- MUST NOT solely rely on perimeter security.
N.B. The use of a VPN for access does not make a service secure, although a VPN may provide some additional benefit and protection.
Therefore, services MUST authenticate and authorise API calls, adopting a zero trust security model. This means:
- Every service SHOULD BE identifiable
- Every API call MUST BE authenticated
- Every API call MUST BE authorised
- Every API call SHOULD support key rotation where applicable
- Services SHOULD NOT roll their own authentication/authorisation implementation
Adoption
New services MUST adopt this practice. Existing services SHOULD implement this practice. Endpoints that are inherently public are exempt, e.g. health and status probes, public keys, metrics, etc.