“Improved security is typically one of the reasons for going to MACH and composable architectures. Some companies do it on the back of a security breach and we’re seeing more and more cases where a security incident is the trigger to make the step to a modern MACH setup.” - Filippo Conforti, Founder of Commerce Layer.
Today security stands as the top priority for enterprises, and rightfully so. It is paramount, even before the consideration of implementing new technology. Insufficient security erases all the positives that come with a new digital experience.
Today the biggest security threats come from cyberattacks, data breaches, and malicious software. According to PWC’s annual Digital Trust Insights research, cloud-related threats are the top concern for senior executives in the UK.
We get the question a lot: How secure is MACH? And how do I communicate its impact on our security posture internally?
MACH (Microservices, API-first, Cloud native SaaS, and Headless) software tends to have a higher level of security compared to legacy software, because it's generally written using more modern software architecture principles and infrastructure. MACH best practices include leveraging the best cloud security measures offered by Azure, Google, and AWS, to provide a strong framework for your applications to reside in. Plus, the compartmentalized setup that comes with a MACH approach creates secure barriers that minimize risks.
1By 2027, more than 50% of core business applications will be built using composable architecture requiring a new security paradigm.
As we move to a composable future, here are three important reasons why security is a key reason to go to MACH.
1. Compartmentalizing Risk Through Composability
MACH architectures are inherently more secure than monolithic architectures due to the compartmentalized nature of MACH. Dan McCormick, co-founder and CISO of Constructor.io says, “Ultimately security breaches involve data, and the great thing about MACH is that you can carefully control where the data goes. The ability to tightly control which vendors receive PII (personally identifiable information) for example is a huge advantage.”
With MACH it is possible to deploy only the necessary API and components that are needed for a specific task. This allows system administrators to better control which services and applications can access data or resources. Since each microservice operates independently from the rest of the architecture on its own infrastructure stack as opposed to shared servers in legacy architectures this greatly reduces risk as even if one microservice is compromised that does not mean other parts are too. The ability for attackers to move laterally is severely limited.
Of course, organizations should be cautious that they are not inadvertently creating new attack surfaces during the transition from legacy to composable. A gradual transition allows organizations to better manage risks and maintain existing systems during the process. An important part of the transition is to scrutinize each vendor's security posture according to the risk of the data they're receiving.
“With more moving parts the surface area for attack becomes larger,” says Dom Selvon, CTO at Apply Digital. “However, given the more succinct nature of the applications and the fact that they are managed elsewhere, the net risk is reduced. Each moving part needs to be hardened and should be managed in terms of who can access them and what sort of data flows in and out. Usage of patterns such as a hexagonal architecture with its ports and adapters, API Gateways with their bot detection and rate limiting, and CDNs shelter the core services from external malicious actors.”
“When designing composable architectures, it is important to design your application with security in mind from the outset. Incorporate secure coding practices, robust authentication mechanisms, and appropriate access control measures. Grant the minimum necessary permissions to components and users to prevent unauthorized access or modification. This limits the potential impact of a security breach.”
2By 2024, Gartner states that 20% of Global 2000 CEOs will report an increased appetite for risk and improved resilience, both attributed to modular business redesign.
2. Cloud-Native and Decoupled Protection
Cloud-native SaaS allows for the deployment of applications in a secure, scalable, and flexible manner, while a headless architecture decouples the front-end presentation layer from the back-end services, making it easier to secure both components.
Cloud-based hosting for all software parts - which is integral for MACH architecture - makes use of cloud vendor security features like firewalls, anomaly detection, investigation tools, and access control. This is typically leagues ahead of what traditional hosting solutions deliver.
Utilizing the built-in security of the underlying cloud platform is important as a starting point, so ask your MACH vendors about the security features they use. Access control, data control, encryption, and privacy need to be addressed across all components. Cloud platforms make use of encryption algorithms in order to protect data traffic during transfer between systems. In addition, they use pattern recognition to detect anomalous behavior, identify potential fraud or security threats, and provide near real-time alerts to help businesses to prevent or mitigate damage before it occurs.
“By leveraging cloud platform security features and tailoring them to our service and the data it contains, we can offer a level of customization and tuning that wouldn’t be available in a monolithic system. That makes it easier to detect anomalous behavior and protect the specific kind of data that our customers trust us with,” said Dan McCormick.
3. Security by Design
As a principle, SaaS providers take care of the maintenance and updates of the platform, and many enterprise level SaaS vendors also provide security expertise for their specific area. Providers can manage security for customers, including network security design, identity and access management, continuous monitoring, vulnerability scanning, and data loss prevention.
This reduces the risk of misconfiguration errors by someone not experienced with cloud technologies, and lets businesses leverage the deep knowledge of multiple security experts in their network.
No-upgrade SaaS delivery means security hotfixes and updates are automatically applied. This offers a huge advantage over legacy because it removes the burden from the end user to upgrade and implement hotfixes on receipt of an email from the legacy vendor. It also avoids the question whether anyone did a full quality assessment after they patched the legacy tool. Because the individual components are smaller, every incremental security patch also has less impact on the overall implementation. The result: It’s faster, zero effort and significantly less risk than with a monolithic environment.
In conclusion
Having a composable technology architecture can bring significant improvements to an organization's security posture. With a composable architecture, businesses have greater control and flexibility in managing their tech infrastructure and where their data is processed and stored, ensuring that it can be tailored to meet their specific security needs.
1 Gartner®, Top Trends in Cybersecurity 2023, published 17 March 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
2 Gartner strategic planning assumption taken from ‘Becoming Composable: A Gartner Trend Insight Report’, refreshed 12 January 2023, published 22 September 2021