Microservices security gaps: what IAM and API teams need to know

TL;DR: Microservices multiply API endpoints, authentication paths, and internal trust relationships, while traditional perimeter tools miss shadow APIs and east-west traffic, according to Kong. The result is a governance problem as much as a technical one: identity, access, secrets, and observability controls must be designed for distributed execution rather than monolithic assumptions.

NHIMG editorial — based on content published by Kong: 10 Ways Microservices Create New Security Challenges

By the numbers:

• Attacks targeting the business logic of APIs constituted 27% of attacks in 2023, a 10% growth since the previous year.

Questions worth separating out

Q: How should security teams govern APIs in microservices environments?

A: Security teams should govern APIs as a continuously changing identity surface, not as a fixed application perimeter.

Q: Why do microservices increase lateral movement risk?

A: Microservices increase lateral movement risk because one service compromise can expose internal trust relationships, shared secrets, and downstream permissions.

Q: What do teams get wrong about Kubernetes Secrets?

A: Teams often treat Kubernetes Secrets as if they are secure by default, but base64 encoding is not encryption and cluster access can expose them.

Practitioner guidance

• Build a continuous API inventory Automate endpoint discovery across all environments and tag each route with ownership, data sensitivity, and business criticality so shadow APIs can be removed or governed quickly.
• Enforce explicit east-west authentication Require mTLS and service identity validation for every internal call, and block any default trust between workloads in the same cluster or namespace.
• Centralise secrets lifecycle control Move service credentials, API keys, and certificates into a managed lifecycle with rotation, revocation, and audit logging tied to service ownership.

What's in the full article

Kong's full blog covers the operational detail this post intentionally leaves for the source:

• Endpoint-by-endpoint mitigation guidance for microservices architectures
• Examples of API gateway, service mesh, and OPA policy patterns in practice
• Configuration and secrets management recommendations for Kubernetes environments
• Additional data points from industry research on API attack trends

👉 Read Kong's analysis of 10 microservices security challenges →

Microservices security gaps: what IAM and API teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →