Security plays a critical part in any distributed IT environment. Data integrity, confidentiality, and availability are the most important parameters for ensuring impenetrable data security. There are several mechanisms such as encryption and decryption, digital signature, hashing for securing data while in transit, persistence, and usage. For microservice-centric applications running on cloud infrastructures, the security aspect starts with identification, authentication, and authorization. Security policies are another solution widely used in public cloud environments. Hardware security modules (HSMs) are prevalent these days as it is not easy to break in while guaranteeing higher throughput. Then there are several security appliances such as firewalls, intrusion detection, and prevention systems. Unified threat modeling and management solutions are also getting a lot of attention these days, considering the severity of security threats and vulnerabilities in the microservice era. As mentioned previously, API gateways form an important phenomenon for the intended success of microservice architecture. Considering the strategically sound significance, API gateway solutions are being stuffed with security-enablement properties. A bevy of unique security characteristics are being incorporated into API gateways to ensure utmost and unbreakable security. Let's take a look at these security features. 

Federated identity is the widely preferred way for service authentication and authorization. As we all know, microservices exclusively focus on business functionality. The supporting functionalities and facilities are attached when needed. The proven technique of divide and conquer is still working wonders in the IT world, which is becoming hugely complicated yet sophisticated owing to the consistently evolving and erudite trends and transitions in the IT space. Especially, identity management, being the prime security requirement, is being delegated to third-party solutions and services. That is, each microservice does not need to obtain and store user credentials in order to authenticate them during subsequent requests.

Instead, the identity management system takes care of the authentication well. The following diagram shows the role authorization servers play in the authentication and authorization processes. The attached database stores all the user credentials in clustered mode. Also third-party authentication and authorization management systems are closely coupled with API gateways in order to seamlessly and smoothly do the initial security-enablement tasks:

There are three key protocols enabling the federated identity:

• OpenID
• SAML
• OAuth

The flow is as follows. The application client first sends a request and grabs a JWT access token from the third-party authentication and  authorization server by supplying the mandated credentials. Once the mandated credentials are obtained, the client then embeds the access token in the Authorization HTTP header of the API request. The API Gateway then validates the access token supplied by the client with the authorization server.  Once validated by the third-party authentication server, the API gateway passes the JWT access token to the appropriate backend microservices to initiating the business tasks. If there is a need for other downstream microservices to fulfill the service request, then the same JWT token is shared across to all the participating and contributing microservices. Microservices that are in collaborating mode have to attach the JWT access token to their request messages: 

• Confidentiality: Data security and privacy are very much demanded owing to the remote storage. Also the pervasive, public, and open internet, which turns out to be the world's largest communication infrastructure and information powerhouse, is the data carrier. Keeping data safe and secure is the foremost requirement for business entities and their IT divisions. That is, the confidentiality of data cannot be compromised at any cost. Primary data protection is done by the API gateway. The other option is that the database server is totally insulated from other servers. As a way of ensuring data privacy while data is being persisted, data is encrypted and the encryption key is managed separately. Data servers are not allowed to be accessed by clients directly. Every data access request is routed through a frontend service.
• Integrity: The service messages comprising confidential, customer, and corporate information cannot be hacked and manipulated. A compromised message can be used for the wrong purposes, such as bringing down servers or stealing private information. To ensure better integrity for messages and data, a number of purpose-specific and agnostic checks are done on messages while the messages are passed through a host of intermediary servers from the source to the sink. Typically hashing algorithms are used in order to identify whether there has been any kind of data modification.
• Availability: Service availability is very important for attaining success with microservice architecture. There are hackers attempting to bring down services. The API gateway provides the first defense against this. Then, there are LBs to ensure the service continuity. Clustered and cloud servers come in handy in guaranteeing the high availability of services. Distributed denial of service (DDoS) attacks on services can be thwarted through the application of the throttling/rate limiting pattern.
• Secure communication: Communication has to be secured through the SSL/TLS mechanism. Microservices and API gateways are, therefore, mandated to be SSL/TLS-compliant. Such a setup easily safeguards against man-in-the-middle attacks. Also, the widely used message and data encryption method secures against peeking at and tampering with service messages and data.

Apart from other functionalities, API gateways are predominantly leveraged to secure microservice-based applications. Security acquires special significance as microservices are deployed in geographically distributed server environments. Also, with web-scale applications, microservices and their distinct instances are being frontended by LBs. API gateways represent a growing collection of advanced services that enable microservices to contribute to business automation and augmentation.