Interesting. My perspective is that a strong, small team building a monolith has to think of constraints and design for them, and the microservices teams make choices in the local instead of the global maximum, which reduces cohesion and incurs communication costs. I would think that carving out a service from a monolith would be easier than the reverse direction, although maybe you’re with me on that.

Dude thank you for your detailed reply which I have been thinking about for a while.

I don’t want to mischaracterise what you’re saying but I want to try to summarise the lessons, which I think are super valid.

1. Some external layers or services are basically essential, like a WAF/auth/rate limiter/API gateway/reverse proxy. Or DB.
2. Observability and logging, and rapid response to anomalies, together with a honeypot, go a long way toward maintaining security.

This is definitely a way to think about this that I haven’t distilled. Thanks!

You have me thinking. My gut tells me this is true.

For example, if you have a segmented auth service that someone gets root on, it’s possible for someone to act as anyone else, but not get the whole database if unavailable to all users.

If your load balancer gets compromised, you could cause denial of service or act as a man-in-the-middle for all requests.

If your database gets got, that’s the worst, but you generally can’t intercept web requests and other front-end facing things.

But, I’d like to play devil’s advocate here. I feel that most of these segmented architecture strategies may have negative security implications as well.

First, the overall attack surface increases. There are more redundant mechanisms, more links in the chain, probably more differing types of security/tokens/certificates that can get exploited. It also adds maintenance burden, which I believe reduces security because other priorities may get in the way if things are cumbersome.

In my examples above, a compromise of the auth service in most cases pretty much means a complete compromise of the what your system allows its highest level users to do. Which is normally a lot.

Getting a load balancer will allow an attacker to MITM if TLS termination happens there, and basically this can mean the same as in the auth service, plus XSS-type stuff.

If the service hosting the database is compromised, it’s kinda game over. Including XSS.

So what have we gained here?

A monolith hosting all of these has more or less the same consequences if compromised. However, if it’s all together, it becomes everyone’s responsibility and there are more eyes on each aspect of your application. You’re more likely to update things that need updating. Traffic can be analysed a little easier.

Just wanted to jot down some notes because I have a talk coming up and need to prepare for this question. Please prod my thinking, it would really help me out!

Devs used to have to consider deployment and uptime! They still should. We as an industry became arbitrarily segmented and irresponsible. I have never gotten used to this tossing shit over the fence.