Microservices security and access control: are your controls keeping up?

TL;DR: Microservices widen the attack surface by decentralizing authentication, authorization, token handling, and policy enforcement across many services, according to Cerbos. The governance problem is not microservices themselves but the assumption that monolith-era security patterns still hold once identity, trust, and control become distributed.

NHIMG editorial — based on content published by Cerbos: security and access control in microservices

By the numbers:

• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should security teams implement access control across microservices?

A: Security teams should enforce authorization at each service boundary, not only at the API gateway.

Q: Why do microservices increase identity and access risk?

A: Microservices increase risk because trust is distributed across many services, teams, and network paths.

Q: What do teams get wrong about token-based authentication in microservices?

A: Teams often assume a valid token is enough to authorize every downstream action.

Practitioner guidance

• Enforce service-level authorization everywhere Require each microservice to validate identity and policy at the point of access, even when requests originate from trusted internal systems.
• Shorten token lifetime and narrow token scope Issue tokens only for the audience and operations required for the current transaction.
• Pair mTLS with fine-grained policy checks Use mutual TLS to authenticate both ends of the connection, then apply authorization rules based on service identity, request context, and requested resource.

What's in the full article

Cerbos's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how JWTs are issued, propagated, and validated across service calls
• Implementation detail on using TLS and mTLS together for service-to-service traffic
• How an API gateway can validate tokens, apply rate limits, and hide internal service topology
• The Netflix example showing how policy, gateway, and monitoring choices fit together in practice

👉 Read Cerbos's guide to microservices security and access control →

Microservices security and access control: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →