The Transformation of the API Gateway into a Critical Cybersecurity Tool
The roles played by API gateways and management systems are growing. Where just a few years ago, an API gateway arbitrated ingress onto monolithic apps inside the enterprise, today’s picture is much more complex.
API gateways not only manage east-west traffic between modularized applications (compiled application to database instances to public cloud services), but APIs are an integrated part of every microservice-based application. In fact, it’s safe to say that containers would presently only be a developer’s plaything — just a “neat idea” — without careful management of the data plane.
Because of the integral role APIs and their management systems play, this feature of every enterprise’s network has a critical role to play in securing the wider enterprise. A new generation of security brokerage systems is now commonly found at the network edge, acting as the canonical source of security policy for all users, devices, applications, and services wherever they may be. SASE (pronounced “sassy”) may be a new buzzword, but the technology making up its constituent parts is not necessarily new. At every level of a SASE, from high-level security policy to data flows, API management plays a vital role in the grand scheme of zero-trust cybersecurity provisions.
Enforcing internal API policy is as important as arbitrating ingress from outside the enterprise network. That’s a spreading of focus that’s largely aligned with cybersecurity’s change in emphasis from perimeter protection to a more endpoint-based set of security policies.
With CIOs of larger organizations probably unaware of the extent of the many thousands of applications in use across the entire enterprise, managing even the basic minutiae of keys, tokens, and access levels cannot be done piecemeal. API gateway and management systems continue to play their role in data movements but are increasingly important as security arbitrators in zero-trust environments.
It’s vitally important, therefore, that API gateway devices (or abstractions of hardware devices) have at least some — but preferably all — of the following.
– the ability to manage the keys or tokens of an authorization logic and determine authorization and authentication by user, group, time, contents of data flows, privilege level, and location.
– offer secure self-service for contractors, developers, SREs, and QA testers.
– be able to oversee and be the source of highly granular security settings to all parts of the network, that is, be both the data and control planes, or…
– …pass on those authorization settings as dictated by other platforms, ensuring interoperability with existing security systems: an Active Directory schema, as a simplistic example.
– support industry-standard RESTful and SOAP APIs, and have the ability to extend these on a bespoke basis if required.
– be extensible, fast, and inherently secure.
Here at Tech HQ, we’re looking at three providers of API management technology capable of deployment at scale and that will not introduce extra layers of complexity that need managing. Similarly, the products we feature will not create bottlenecks because they represent legacy technology that’s been hastily reconfigured for a microservice and multi-cloud world. In short, they are platforms that are enterprise-ready and fit for purpose.
Nevatech’s Sentinet solution offers a unique ability to create authorization configurations by simple drag-and-drop GUI while creating complex policies that are highly granular. For example, Sentinet’s Access Rules for managed APIs can be configured according to caller identities, messages’ content, privilege levels, subnets, VLAN segments, APIs’ usage metrics, and date/time schedules — among many other variables.
It’s also an extensible platform capable of using custom plug-ins that can further extend authorization with any custom logic.
At the level of data, API calls can be configured to hide or show sensitive information, with full or partial logging — a critical aspect of data security compliance.
Nevatech is also unique in that its solution separates authentication schemes from specific authorization logic, allowing teams to think about the effect of both on overall API security.
Equally at home in the cloud as it is on-premise and available as a VM or physical hardware device, the Sentinet platform is our favored choice for this increasingly important aspect of today’s digital businesses: their safety and operational stability alike. With a self-service customizable portal designed specifically for developers, Sentinet is the ready-to-roll API management platform of choice.
The Amplify platform from Axway sits among the company’s other offerings, ranging from simple file exchange mechanisms to internal API automation redolent of RPA functions. However, as a platform in its own right, Amplify provides companies with a single source of information as to the existing API assets, wherever they may be in a distributed environment.
Any team or service that publishes API access can secure, track and monitor its assets as part of legacy or new applications and services. Conversely, consumers can use the same discovery methods to subscribe to and interact with API inside the business or open for external use.
At the heart of Amplify is the API catalog, the source of detailed information about each API asset — for internal, external, SecOps, DevOps, or NetOps use, and this catalog is no static, read-only library. Instead, it adapts in real-time, constantly discovering and monitoring across the entire network.
To learn more about the Amplify Catalog, the Amplify platform, and Axway itself, click through here to read more.
The NGINX web serving platform recently (this year — 2021) became the most widely used platform, overtaking the old stalwart Apache Web Server in the number of install instances.
As well as the web serving capabilities, many will know it as the go-to platform as the world’s most reliable reverse proxy, sitting just behind routers and firewalls the world over.
But it’s in API management that NGINX is most numerous in terms of the number of installations. That’s in no small part down to containerized applications and services, where NGINX will be found arbitrating traffic between individual containers, in virtualized networks, and between discrete applications and services in the cloud — or wherever cloud-native technologies are to be found.
In the guise of NGINX Plus and NGINX Controller, F5 Networks (which acquired NGINX in 2019) has successfully monetized what remains a fiercely proud open-source project, one that remains free to use for simpler network deployments.
To read more about NGINX’s API management capabilities in free and paid-for guises, click here.
*Some of the companies featured in this article are commercial partners of TechHQ