CISSP PRACTICE QUESTIONS – 20210822

Effective CISSP Questions

Microservices are a separate architectural style, an SOA pattern, or a refined SOA. Both microservices and SOA emphasize self-contained services, high interoperability, loose coupling (minimal dependency) between them. Which of the following is not an advantage of microservices? (Wentz QOTD)
A. The development teams can work independently.
B. The presence of multiple components enhances availability.
C. The independence of services improves the reusability of the code.
D. The overall architecture of the system can be aligned with the organizational structure.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. The presence of multiple components enhances availability.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Microservices Architecture
Microservices Architecture

Microservices are a distributed architectural style. It has various advantages such as:

  • The scalability can be improved.
  • The development teams can work independently and become more agile.
  • The independence of services improves the reusability of the code.
  • The overall architecture of the system can be aligned with the organizational structure.

However, the availability, manageability, and monitoring of microservices may take more overhead because of the nature of distributed architecture. The concept of scalability and availability is often confused. Scalability is about how many clients a service can serve, while availability is the degree to which a client can access the service reliably and timely.

A service or system can take different scalability strategies, e.g., scale-up or scale-out. The scale-up strategy may not improve availability. The scale-out strategy contributes to availability in various degrees, e.g., a DNS-based round-robin load balancer without a heartbeat check renders a lower degree of availability than a cluster-based load balancer that checks the services’ health status.

The following is an excerpt from NIST SP 800-204:

Advantages of Microservices

  • For large applications, splitting the application into loosely coupled components enables independence between the developer teams assigned to each component. Each team can then optimize by choosing its own development platform, tools, language, middleware, and hardware based on their appropriateness for the component being developed.
  • Each of the components can be scaled independently. The targeted allocation of resources results in maximum utilization of resources.
  • If components have HTTP RESTful interfaces, implementation can be changed without disruption to the overall function of the application as long as the interface remains the same.
  • The relatively smaller codebase involved in each component enables the development team to produce updates more quickly and provide the application with the agility to respond to changes in business processes or market conditions.
  • The loose coupling between the components enables containment of the outage of a microservice such that the impact is restricted to that service without a domino effect on other components or other parts of the application.
  • When components are linked together using an asynchronous event-handling mechanism, the impact of a component’s outage is temporary since the required functions will automatically execute when the component begins running again, thus maintaining the overall integrity of the business process.
  • By aligning the service definition to business capabilities (or by basing the decomposition logic for the overall application functionality based on business processes or capabilities), the overall architecture of the microservices-based system is aligned with the organizational structure. This promotes an agile response when business processes associated with an organizational unit change and consequently require that associated service to be modified and deployed.
  • The independent functional nature of a microservice promotes better reusability of the code across applications.

Disadvantages of Microservices

  • Multiple components (microservices) must be monitored instead of one single application. A central console is needed to obtain the status of each component and the overall state of the application. Therefore, an infrastructure must be created with distributed monitoring and centralized viewing capabilities.
  • The presence of multiple components creates an availability problem since any component may cease functioning at any time.
  • A component may have to call the latest version of another component for some clients and call the previous version of the same component for another set of clients (i.e., version management).
  • Running an integration test is more difficult since a test environment is needed wherein all components must be working and communicating with each other.
  • When interactions within a microservices-based application are designed as API calls, all the necessary processes required for secure API management must be implemented.
  • The microservices architecture can break down the practice of defense in depth. Many architectures have a web server running in a DMZ that is expected to be compromised, then a backend service which the web server talks to, and then finally a database that the backend service talks to. The backend service can act as a more hardened layer between the exposed web server and the sensitive data in the database. The microservice architecture tends to collapse this and now the web server and back end service are broken down into microservices potentially more exposed than in the previous model. This can result in fewer layers of protection between the caller and sensitive data. Hence it is critical to securely design and implement the microservices themselves as well as the service mesh or API gateway deployment model.

Reference


微服務是一種獨立的架構風格、一種 SOA 模式或一種精煉的 SOA。 微服務和 SOA 都強調服務自包含(self-contained)、交互操作性(interoperability)高、鬆散耦合(最小依賴)。 以下哪一項不是微服務的優勢? (Wentz QOTD)
A. 開發團隊可以獨立工作。
B. 多個組件的存在提高了可用性。
C. 服務的獨立性提高了代碼的重複使用性。
D. 系統的整體架構可以與組織結構保持一致。


Leave a Reply