These days, the most common way for services to communicate and transfer data is by using APIs.
However, broken, exposed, or hacked APIs are the cause of some of the latest major data breaches, as they have the potential to expose sensitive data for public consumption.
Securing your APIs is important, and we take it seriously – Imperva offers a solution called API Security, which among other benefits, builds a positive security model in order to ensure that only the traffic you want accessing your API is allowed and all of your API endpoints are protected as soon as they are published. API Security is also a part of the Imperva Application Security suite.
Continuously securing every endpoint and staying up-to-date with recent deployments can introduce serious overhead. Every time an API is updated, API Security needs to be notified about the change so that it can update the model and accurately protect your endpoints.
One way to achieve this is by manually providing a Swagger file that describes the API configuration. Like many manual procedures, this one is error-prone. It also poses an orchestration bottleneck between security, DevOps, and developer teams, due to the fact that different people are often in charge of developing and securing the APIs.
Amazon Web Services and API Security
To solve this challenge, we have developed a solution that automates the retrieval of the Swagger file. Currently, it has only been implemented for Amazon Web Services (AWS), but the same principle is applicable for other cloud providers as well.
AWS offers a platform for API Management called Amazon API Gateway, which makes it easy to define, deploy, share, and operate APIs. Deploying or updating an API is made quick and simple through the use of Amazon API Gateway’s serverless developer portal, allowing hundreds of API changes to be deployed each day. As mentioned above, securing each of these deployments will involve some overhead and our goal in this feature is to eliminate that overhead by securing the deployments in a quick, automatic way.
In our solution, the user starts in our Cloud Accounts Management service, which creates the user’s account in Imperva’s Cloud Application Security system. Once an account has been set up with Imperva, a CloudFormation Template is generated. Then, the user is directed to the AWS CloudFormation console, logged in to the user’s AWS account, and is prompted to deploy a stack.
The deployed stack consists of:
- Creating a Trail using CloudTrail, which logs Amazon API Gateway actions into an S3 Bucket.
- A CloudWatch Events Rule, which is triggered when deployment changes in Amazon API Gateway are detected.
- A Lambda Function, which retrieves the Swagger file and finally, sends it to Imperva via SNS.
Once an update is received on our end, it is pushed into a Kafka queue, from which it will be read by relevant Imperva Application Security services (in this case, API Security only).
Once the stack is deployed successfully – that’s it! You can start working and forget about updating Imperva for every change. Don’t worry, we got this.
A Quick and Simple Configuration
From start to end, the solution should be fully configured within a couple of minutes. With this solution, every single change that is deployed to Amazon API Gateway will be instantly and seamlessly sent to API Security and will be fully configured and secured in a matter of seconds.
Our solution has been designed with minimal cost in mind, utilizing the AWS pricing slogan – you only pay for what you use. No deployments equal no charge.
In the future, we plan to implement this mechanism for other cloud providers as well.
With this solution, we introduce a new level of responsiveness when it comes to securing your APIs. Less overhead, less orchestration, and faster deployments.