James's Ramblings

Consider network segregation before expensive M2M authentication

You don’t necessarily need expensive machine to machine (M2M) authentication/authorization solutions, like Auth0, as a start-up. Particularly if you’re a business-to-consumer (B2C) and/or have slim profit margins.

Zero trust (authenticating every request) is a trendy buzzword but is not the be and end all of architectural designs. This might be the difference between making a profit and loss.

Network segregation was traditionally the first line of defense in security and falling back to this approach is still a viable option. For example, on AWS, each virtual network interface can have its own security group, which is a (simple to use) stateful firewall. Security groups are free and can be used to segregate services.

Another great way to get some additional security at no additional cost is to put any services that don’t need to be public in a private subnet (no route to the Internet). This provides you some defense in depth; if someone accidentally opens up the wrong port on the security group, the service is still not accessible from the Internet.

There is another type of firewall called a network access control list (NACL) that can be used to control traffic at the subnet level (at no additional cost). However, these can be tricky (because they’re stateless) and require a fair amount of network chops. It’s easy to make a mistake with ephemeral ports and the end result might take days to debug.

If you really want to authenticate every request, which is good practice if you can afford it, you can tack that on later, when you are making a profit or have budget.

If you can’t avoid cost associated with M2M authentication/authorization, it might be worth looking into companies like SuperTokens and Ory that are disrupting the market, offering more cost effective and/or open source alternatives to Auth0.

Other options might include AWS’s API Gateway, combined with an an authentication mechanism, or a traditional API gateway like Kong. Both options can also be quite expensive compared to network segregation.

If you are B2B and need to integrate with other companies, you might not have a choice but to use M2M authentication/authorization; particularly if your clients are regulated and/or are risk averse.