API Security? Your API Gateway is not enough.

In a review of the API Threat landscape and OWASP API top 10 one finds a diverse spectrum of threats across variety of disciplines including Identity, Inspection, Policy Management, Enforcement and Audit. Unfortunately, a similar review of architecture teams reveals a complex problem.  Architecture teams are expecting API Gateways to provide security protection mechanisms to the APIs they host. Unfortunately, most enterprises quickly learn that API gateways perform a number of functions very well.  Traffic routing, load balancing, API lifecycle management, all come to mind. But what they don’t do well is protect APIs against the most common API threats

When looking at current API Gateways options, we find the focus has been on protecting the perimeter of the network with coarse grained inspection and traffic-rate policy management to inform that enforcement. This results in a lack of security controls required for securing APIs.  Things like Object and Function Authorization, Strong authentication Data awareness with granular audit where it’s needed most, inside your applications environment, where critical services and data are exposed.

Identity MgtInspectionTraffic Policy ManagementEdge Gateway EnforcementService Ingress/
Egress
Enforcement
Privacy/Consent
Object level Authorization
Cloudentity
Apigee Sense
42 Crunch
Elastic Beam
Salt Security

It’s why Cloudentity exists, as we believe that API security requires more than traffic policy management and coarse grained enforcement.

Identity Management

APIs are where cyber security meet identity management.  Within an API there’s a requestor (often on behalf of a user) a service (API) and the data that’s being passed.   All of these entities in the transaction require unique identity and authorization; without identity, compliance and enforcement mandates cannot be met effectively and without Authorization there’s a free for all on your APIs reminiscent of Cambridge Analytica and Faceboook.

Users need the ability to self-manage, services need to communicate securely with other internal and external APIs, and the processes that provide this security need to seamlessly accommodate new users and services in a rapidly changing ecosystem. Traditional IAM models have focused on users, Policies, and roles, which met the needs of web applications in years past but as application development has evolved to APIs, a new approach to identity management is required. It’s no longer just users, roles, and permissions. APIs must be integrated into the identity and access management framework in order to ensure adequate governance and security.

Inspection

Tools for inspection and verification of credentials are not created equally. Having an authorization service that supports OIDC coupled with distributed policy decision points—like Cloudentity’s Authorization Control Plane—provides the fastest, service level token verification and authorization. Traditional API gateways require a round trip to the centralized gateway to validate tokens and a second trip to retrieve critical policy and/or User information, causing substantial latency in authorization and creating a frustrating user experience. Slow load times, particularly during critical steps in a customer journey, often leads users to abandon the transaction entirely.

Policy Management

Legal compliance and sophisticated exploits are pushing the need for more complex, comprehensive security policies. Security frameworks like “ZeroTrust” and “CARTA” have been developed to provide guidance to security leaders looking to adapt. But that added complexity often comes at the expense of the customer Experience. Requiring users to enable MFA for trivial and low risk tasks like checking an account balance can feel unnecessary and even jarring to a user. This is where the “contextually” aware approaches to security become necessary, helping to balance the necessity of complex security with the need for frictionless customer experiences. API security solutions that are contextually aware—that is able to analyze variables like location, time of day, reputation, behavioral anomalies and transaction details—provide for smarter approaches to security that don’t compromise on user experience. It’s why we partnered with Signal Sciences: the more security data available, the more context for authorization.  Pairing these contextually aware security signals with identity providers or identity services—like Cloudentity’s Digital Identity Plane—allows policies to become more flexible allowing for granular risk resolutions such as requiring enhancing audit or only requiring MFA for high-value transactions.

Edge Gateway Enforcement

Traditional API Gateways are  handled at the perimeter of an organizations network or even outside the network for hosted API gateways.  The API security gateway recognizes the need for managing multiple targets at a single API endpoint while seamlessly fitting into the East/West core security model. When a transaction comes through Edge, it is signed generating an end to end  tamper proof audit trail, and it serves as a translation and migration tool from traditional API gateways to the service MicroPerimeter™ pushing policy decisions, audit, and privacy to the service edge.

Service Ingress and Egress Enforcement

Edge enforcement leaves your internal network open to internal attacks such as the point of sale (POS) exploit involving Target, The Home Depot, and other major retailers. They were all compromised by exploits deployed inside their company’s networks, providing  the attackers lateral movement to more sensitive data including consumer and credit card data.  The same occurs with API services today.  APIs operate with little oversight inside critical infrastructure and beyond the inspection of edge protections. This is why we built our MicroPerimeter™ Sidecar, to add protection at each service.  It inspects all traffic from a service, both inbound AND outbound, meaning even if a service becomes compromised, the breach stops there—it won’t be able to communicate with other services or devices.

Tamper Proof Audit

The ability to focus at a data object level and add protection at the service level provides for the creation of a digital signature of each transaction, creating a tamper proof, end to end audit of every transaction.  This includes a transaction ID that allows you to see which user called which service which in turn called other services, giving companies the insight they need to understand the scope of a breach and limiting exposure under privacy and compliance laws in the event of a breach. Being able to investigate the source and cause of unauthorized data access is a necessary part of complying with mandatory reporting periods dictated by major privacy legislation such as GDPR and CCPA. Traditional API Gateway security approaches fall short in this area inspecting traffic at the perimeter but losing site and it decomposes into service to service communication.

Data Level Access Enforcement

Data is more complex than Resources and Verbs (e.g. GET /dogs) and modern data access rules need to support granting permission at the data object level, for example, a patient releasing records to another healthcare provider.  As APIs become used for sensitive data sharing and collection, it’s necessary for fine-grained permission services to enforce access at the record level integrating that with a user’s consent that can also be recorded and enforced. Understanding where a request, approval and revocation are all tracked and verified, not only keeps the data secure, but provides full auditability for who had access to what data, when they had it, and where to remove data when requested. This granular approach to security and permissions is not part of traditional API Gateways, despite the fact that PII and HIPPA sensitive data is increasingly transmitted at the API-level.

In Short…

Although APIs have been around for many years, their popularity and use in web applications has increased exponentially over the last several years as companies adopt cloud computing. Advancements in speed, scale, and performance have driven more applications to be API-first in their approach and have led security teams to look for new ways to secure all of these connections from malicious use and attack—without hindering developers in their desire to innovate and deploy quickly. Recognizing that APIs serve as the “heartbeat” for modern applications, it’s important to understand what tools exist in the market and how they keep your APIs secure. API Gateways are an absolute necessity for managing your APIs, but on their own they fall short in providing continuous, adaptive security.

Interested in learning how Cloudentity can boost your API security efforts without compromising the developer or user experience? Sign up for a demo today.