By Nathanael Coffing, CSO and co-founder of Cloudentity
We are thrilled to share that Cloudentity was featured in Gartner’s 2021 Hype Cycle for Identity and Access Management (IAM) Technologies. The report serves as a key resource for security and cloud architects who are researching which technologies to implement in order to expedite application delivery and free developers from the mire of legacy IAM platforms
Cloudentity is highlighted throughout the report in critical categories, such as Application Programming Interface (API) access control and OpenID Connect, pushing the boundaries, by orchestrating and enhancing the major industry players like Okta, Ping Identity, Auth0, Amazon Web Services and Microsoft.
Gartner identifies several critical shifts in the business to business to consumer (B2B2C) and API economy space where externalizing identity, fine-grained authorization and consent become a critical part of controlling and governing how data is authorized to flow within API-connected partner and customer ecosystems.
The Baseline: Why Cloudentity is Critical to Your Enterprise Identity & API StrategyThe absolute bare minimum for API Access Control is an OAuth 2.0 authorization server. However, is the basic support of the standard enough to effectively address modern API Access Control challenges?
The answer is a resounding NO, and Gartner echoes this point of view in its latest Hype Cycle report. Modern architectural patterns (service mesh), proliferation of APIs and services, modern communication patterns (user-machine and machine-to-machine), authorization externalization, privacy, the B2B and B2C API-driven partner economy and centralization of policy with distributed enforcement provide a new set of challenges not met by existing IAM and API gateway platforms and are unaddressed by a basic OAuth 2.0 authorization server.
Products must recognize APIs as first-class citizens, support open standards and deliver tools that externalize and centralize authorization for modern architectures seamlessly. Out-of-the-box integrations with existing infrastructure like API Gateways and microservice mesh platforms are a must as time-to-market matters more than ever. These are indispensable ingredients of today’s API authorization platform delivering what Gartner entitles more sophisticated authorization controls for APIs and microservices.
The Cloudentity Authorization Control Plane delivers on all the above and adds authorization governance, analytics, consent and carrier-grade scalability across the hybrid-cloud and multiple API gateways.
When considering how to protect existing APIs and exploring tools for accelerating the adoption of APIs, it’s critical to consider Gartner’s user recommendations, which are listed below.
- Use API access control to control which applications and people can access APIs, alongside API threat protection to detect and block attacks on APIs.
API access control and API threat protection are two distinct disciplines. Both contribute to overall API security. The role of API access control in API security is growing. It has been recognized in The Open Web Application Security Project® (OWASP) API Security top 10. It is authorization heavy and includes fine-grained authorization for APIs.
Moreover, as Gartner wrote, API access control is about having control on who and which application can access which APIs. It is worth highlighting that it is not about authorization for generic web resources or enterprise resources that many IAM products originally came from. Adoption of retrofitted pre-API era tools to handle do API access control does not result in anticipated outcomes.
- Approach API-based app development with both API threat protection services (such as WAFs) and DDOS protection as well as advanced API access control capabilities.
Use of API access control jointly with other security software in place, especially API threat protection software, gives above-average results. While making API access control product selection it is important to make sure that it can integrate with API threat protection software. In addition to that it is desired for API access control tool to be capable to collect feed about APIs use from API gateways and microservice mesh platforms and use analysis outcomes in policy decisions.
- InvestigateAM tools that provide converged IAM features for APIs, and at least some “lightweight” API gateway capabilities such as token validation services and centralized authorization, for example.
Indeed, many or most IAM products have not been built with API access control in mind. Many does not integrate with API gateways seamlessly. Most of them does not integrate with microservice mesh platforms. It is not because it has not been original objective for some of these products as these such components had not existed on the request path in pre-API era.
The token validation service mentioned by Gartner is bare minimum commonly provided authorization servers and API gateways. However, undoubtedly the API access control starts with token validation but in reality, requires much more advanced authorization. All in all, it is worth to investigating whether you are using right IAM tool that is capable to satisfy such requirements.
- Phase out proprietary methods for API access control.
The API access control scope is vast. Phasing out any custom solution is highly recommended as it is unlikely that it can be deemed right tool that covers this scope.
- Create and implement an effective API security strategy that looks beyond just API threat protection and that also includes API access controls.
API strategy that encompassing diverse granularity API access controls at token minting and endpoint level is extremely important. The common proliferation of APIs and certain fragmentation of effective API authorization policies creates a need for API authorization governance that needs to be part of the strategy.
- Provide IAM training for developer and security staff, highlighting API access control.
Authorization externalization may be still a leapfrog for certain developers. This approach not only increases API security and drastically improves API authorization governance but also increases engineering teams’ velocity when it comes to implementation. Highlighting API access control value and emphasizing why it is important to externalize it is of great importance.
- Deploy API access control enforcement points as close as possible to the service being protected. This will enable defense in depth.
Centralized authorization control with distributed enforcement aligned to various application architectures is necessary capability of any modern API access control platform. This is an area not really covered by pure play authorization servers. Even though enforcement points are rarely part of authorization platforms for APIs, they should provide out-of-the-box integration options with enforcement points and more importantly whenever possible move decision making closer to enforcement points for request path latency minimization.
The Future of API Access ControlAmid a shift to hybrid work, API access control has become mandatory for enterprises for proper authentication and authorization. Cloudentity’s approach to API access control mitigates risk with fine-grained authorization policy management and delivers continuous transaction-level security enforcement across hybrid and multi-cloud environments. With these security guardrails in place, enterprises can accelerate software developer productivity and increase innovation all while maintaining security proficiency, allowing enterprises to remain agile while mitigating privacy, API security and compliance risks.
This new Hype Cycle reflects the maturation of IAM authentication technologies that deliver essential security, risk management and business value for customers and the workforce. As organizations look to the future, security architects and IT teams must prioritize adopting cloud-first solutions that are scalable and support remote working. They must also enable identity-first security for both virtualized and legacy environments, and increase consistency and visibility into distributed identity systems, applications, and users. This may sound like a daunting task, but with the automated tools for authorization governance, the process becomes streamlined across the enterprise.
To download the report, visit the Gartner website here.
To learn more about Cloudentity’s Authorization Governance Automation solutions for API access control, please visit. https://cloudentity.com/