API Gateways security rules called policies. Policies can be activated on proxies and implement specific controls to address the different threats. Proxies are logical containers for all the pre and post processing of client requests and might be required before they reach the service itself.
As per ApiAcmeConsulting’s suggestion Michael also instructs his team to integrate the API gateway with their SOC (Security Operating Center) incident management tool. This will ensure that anomalous behaviour is detected and (depending on the gravity) an alarm is triggered.
Assuming he has previously managed to get some valid API keys, John sends a malicious request with recurring XML structures. The gateway checks the request before passing it over to the background geo-location service as part of the normal in-transit policy processing. One of the configured security policies detects that the request is malformed, drops the call and sends an alarm to the incident management tool, which in turn alerts the SOC team.
As first measure, the team can deactivate those keys, block the requestor. Off-line Michael will work with the API business manager to investigate the case further.
Some of the improvements and best practices ApiConsultingAcme could recommend to their customers are:
- Enforce all security policies on the API gateway to prevent attacks from the Internet
- Periodically review the security policies and make sure they are in line with your security strategy
- Log all traffic flowing through the gateway
- Connect your gateway with the incident management tools of your SOC (Security Operations Center) or equivalent
- Perform analytics on the collected data to detect more sophisticated attacks, which can circumvent the existing policies
The way ahead
APIs give businesses a wealth of new and unforseen opportunities to amplify their reach by empowering the larger community of application developers. API security however is not an option, neither should it be treated as stand-alone. Rather the security team has to own it and make sure that API security is aligned, in terms of policies and controls, to the company's overall security strategy.