To build and deploy apps in a fast-paced, iterative process, cloud-native developers in organizations on the digital transformation journey rely on APIs for communication. With at least 90% of developers using APIs in cloud-native web application development, organizations are reviewing their API security strategies to ensure that security moves in lockstep with innovation. Organizations need to know how to address the new risk gaps that accompany the innovations powered by APIs. In the same way that many organizations deploy a Web Application Firewall (WAF) in front of their API gateways, an API security solution is needed to provide protection against sophisticated attacks against your APIs. In this post, we’ll explain what access management security API gateways provide and why it’s necessary to deploy a robust API security solution regardless of what your API Management Solution offers to ensure you achieve your software development goals.
API gateways provide some access management security
API gateways and API security solutions play different roles. API Access Management Gateways are commonly offered as part of an API Management Solution. Many gateways include an extensive list of API management functions, such as data transformation, call routing, and queuing, that are not commonly recognized as security functions. Security-related features of API Access Management Gateways are usually focused on access authentication/authorization, some level of rate-limiting, and call validation. Here are some specifics:
- Serving as an inline proxy point of control over APIs.
- Verifying the identity associated with API requests through credential and token validation, as well as other authentication means.
- Authorization and routing of API calls to front-end endpoint and to backend services.
- Metering the traffic flowing through the APIs using rate limiting and throttling.
- Many API gateways installed on-prem allow extensions and provide additional logging and custom policy enforcement.
Access management is usually the first and most basic requirement for a business application exposing APIs externally. So much so that the Dev/DevOps teams implement an API Access Management Gateway as part of the API infrastructure in almost the same way an Application Delivery Controller/Load Balancer was used.
Having secure access to APIs does not mean the APIs are protected against all API abuses; far from it. For example, all major Cloud Service Providers offer API Gateway products. All of them recommend additional Web Application Firewalls (WAFs) to be deployed in front of their API Gateway to protect the applications against known web attacks that can also impact APIs (e.g. Log4j Injection). In addition, as application-specific API attacks against the business logic and data intensify, organizations must take a new approach to protect them.
A one-stack approach to protecting all APIs
As we discussed, API gateways and API security serve different security purposes. API gateways only monitor the endpoints and do not automatically discover each API’s full schema. More critically, an API gateway is neither capable of identifying or classifying the data that flows through the API. API abuses and related data breaches are predicted to nearly double by 2024. Gaining full visibility into the APIs on which your organization relies is a prerequisite for protecting them from cyber-attacks and bucking this troubling trend. In the same way that full visibility of data repositories is the critical first step in database security, so too is it in ensuring compliance and protecting sensitive personal data from abuse in APIs.
As API gateways are part of an API management system that is dependent on the organization’s web application firewall (WAF), it may only secure “north/south” API traffic that passes through the WAF. However, API gateways cannot secure “east/west” API traffic — the traffic that makes up communication between servers, containers, and services — that doesn’t move through the WAF. Because of this, the organization may be exposed to man in the middle (MITM) attacks, API injections (XSS and SQLi) where malicious code is inserted into a vulnerable software program to stage an attack [e.g., cross site scripting (XSS) and SQL injection (SQLi)] or DDoS attacks where an attacker tries to overwhelm a web API.
While the API gateway element of your API management system is designed to deliver important capabilities such as access control, to defend against the OWASP API Security Top 10, organizations need an API security solution.
APIs security provides defense-in-depth for APIs
In an interview with HostingAdvice.com, Tim Chang, Global VP, Imperva, explained how Imperva API Security provides “continuous protection of API inventories by enlisting automation and machine learning to detect and classify changes to sensitive data to determine threats and risks”.
Imperva API Security provides protection that is not dependent on any one gateway. While the service offering can be quickly deployed by Imperva Cloud Web Application Firewall (WAF) customers, DevOps and DevSecOps teams can easily deploy Imperva API Security as a standalone solution in any legacy or cloud-native environment.
With a single solution, Imperva API security provides protection for both public-facing and backend APIs without slowing down development teams and works across legacy, hybrid, and cloud-native environments including Kubernetes, legacy monolithic apps, standalone microservices, web proxies, or API gateways that integrate with other existing infrastructure.
Imperva API Security quickly detects REST APIs to enable the creation of a positive security model. The solution automatically updates API inventories to ensure security teams keep pace with developers who frequently modify APIs in production.
As organizations gain visibility beyond the API endpoint and into each API’s underlying payload, business leaders in highly regulated industries can more rigorously enforce an API governance model and stop potential data breaches.
API Security is a pillar of a greater security strategy
Managing and securing APIs from a single platform is critical to gaining essential security insights. If you do not have visibility into the full schema or changes that have been made to the schema, you will not know if it’s been compromised or what data the API is accessing. Imperva API security enables the creation of a positive security model, built from an organization’s own OpenAPI specifications that eliminate the burden on DevOps for specification validation and the load on applications in runtime. Imperva API Security integrates seamlessly into the API lifecycle management process via CI\CD tools or leading API management vendors. Every addition or change of an API made by development teams is automatically updated within the overall security strategy, preventing the usual security bottleneck in API deployment.
Join us to learn more about API trends, terms, key use cases, and what key capabilities your Security and DevSecOps teams need to protect your enterprise data. We will have Chris Rodriguez, Research Director from IDC’s Security & Trust practice kicking off the session with his industry insights. Then, Imperva’s Head of API Security Lebin Cheng will share what customers are saying about API security.
Join us on March 30 and learn about:
- The trends driving rapid adoption of APIs and the emerging risk surface that results from an outdated API inventory
- Where application security fits in protecting APIs and reducing risks
- Which tools are best to cover each part of the OWASP API Top 10
- A strategy to discover and classify every API in and out of production
- Hear from two industry experts on API Security and how APIs have become the lingua franca of the Internet today, and why you need to act quickly to prevent data breaches.
Reserve your spot today.
Try Imperva for Free
Protect your business for 30 days on Imperva.