When people bemoan the complexity of interconnected IT environments, they usually mean that an organization has a lot of applications that all share data with each other. As your organization adds more applications, you need to make sure that they securely share data with each other. In short, security and development teams find themselves working to deploy and protect the Application Programming Interfaces (APIs) that enable applications to talk to each other.
As you build out your API landscape, you will likely adopt various tools, like an API gateway, to help manage traffic and document usage. However, your API gateway only provides limited visibility into API security so understanding its function is critical to prevent blind spots.
What Is an API Gateway?
An API gateway acts as a single entry point for all API calls across external API consumers, internal APIs, and microservices. The software standardizes processes for how applications, data, and services interact to:
- Facilitate requests
- Enforce security policies
- Separate clients from services
- Apply authentication
- Bundle multiple requests into one
- Route traffic efficiently
- Ensure scalability and high availability
- Validate that inputs contain the required information in the correct format
The API gateway can consolidate various functionalities, like:
- SSL termination
- Authentication
- IP allow and block listing
- Rate limiting or throttling
- Logging and monitoring
- Response caching
What are the benefits of an API gateway?
With an API gateway, developers can more easily create, publish, maintain, monitor, and secure API. Gateways enable organizations to implement some security for and control over the APIs that they deploy, especially in distributed microservices architectures.
Some benefits of API gateways include:
- Obfuscating microservices: placing a layer in front of the application’s backend so the endpoints remain hidden
- API authentication: Ensuring that API calls are valid and incorporating security functions like antivirus scanning, decryption, encryption, token translation, and validation
- Input validation: Reviewing API requests and rejecting ones with missing or incorrect information
- Microservices load balancing: Tracking requests to ensure that traffic levels remain manageable to prevent spikes or denial-of-service issues
- Rate limiting: Monitoring incoming traffic and limiting the requests that a client can make
- Caching: Optimizing API calls to send cached responses for similar requests to improve performance and reduce costs
- Application analytics: Providing logs about inbound traffic for insights into API trends and usage
- Modernizing legacy applications: Adding API functionalities to older applications that have difficulty connecting with newer technologies
- Response transformation: Translating responses into the format that the requestor needs them in
How do API Gateways Work?
API gateways are a core part of your API architecture. The API architecture consists of the rules and practices for designing, developing, and delivering web services. Your API gateway helps you manage and govern how APIs interact across your environment.
Request validation
An API gateway performs basic API request validation to reduce unnecessary calls to the backend. Typically, they verify at least one of the following conditions:
- Contains required parameters in the Uniform Resource Identifier (URI), appropriate query string, and incoming request headers to ensure they are not blank
- Request payload follows the configured format
Authorization and Authentication
Since APIs connect applications, your API gateway should support the different authentication models that meet your use cases. Some examples of mechanisms for controlling and managing access to APIs include:
- Resource policies: allowing or denying access based on IP address or endpoint
- Identify and access management (IAM): applying IAM roles and policies to control who can create, manage, and invoke APIs
- IAM tags: adding attributes to roles and policies, like allowing or disallowing operations based on request or resource tags
- Key authentication: using keys to grant access to a service or route
- Plugins: Connecting with an authentication service, like Okta, Active Directory, OpenID, or OAuth
Rate Limiting
Once an API call is validated, authorized, and authenticated, the API gateway enables you to limit the number of requests per second (RPS). API throttling typically uses an algorithm that follows these steps:
- Identifies the user/client that calls the API
- Checks the current request to see if it exceeds the number of allowed API calls
- Completes the task if the request is within limits
- Returns an error if the request exceeds limits
- Pauses user’s ability to make API calls if the number exceeds limits
Request Routing
The API gateway maps resources that an application can access to a method that the application uses to return the information. When you configure your API gateway, the API developers set up integration requests to forward them to the appropriate backend, typically using IAM roles and policies. Once configured, the API gateway routes the integration response to an appropriate method to respond to the client to prevent overloading the backend.
Request and Response Transformation
APIs allow different technologies to communicate, but they may not always speak the “same language.” Many organizations have a collection of REST and SOAP APIs. Across these, you may have a collection of APIs that return responses in any of the following formats:
- JavaScript Object Notation (JSON)
- Extensible Markup Language (XML)
- Proprietary vendor formats
By performing these transformations, the API Gateway facilitates the interaction between a variety of client applications and backend services, ensuring compatibility and enhancing the overall efficiency of the API communication process. This transformation can include:
- Protocol Translation: It can convert requests from one protocol to another. For example, a client might make a RESTful HTTP request, and the Gateway might need to translate that to a WebSocket or a different protocol used by the backend service.
- Path and Parameter Transformation: The Gateway can modify the path or query parameters of incoming requests to match the expected format of the backend service. For instance, it might add, remove, or change query parameters or URL paths.
- Header Manipulation: It can add, remove, or modify HTTP headers of the request or response. For example, it might add authentication headers or correlation IDs for tracing requests across microservices.
- Request/Response Body Transformation: The API Gateway can modify the body of requests or responses. This could involve converting XML to JSON, modifying the structure of the data, or extracting specific pieces of information to forward to the backend service.
- Error Handling and Standardization: It can translate error responses from various backend services into a standardized error response format to provide consistency to the client applications.
API Security vs API Gateways
API gateways focus on managing traffic and maintaining service availability. Although they provide metrics and tracing capabilities, they lack comprehensive detection and response capabilities. For example, they can provide basic authorization and authentication or alerts for high volumes of requests that might indicate a distributed denial of service (DDoS) attack. However, these are side effects of managing traffic rather than security-focused capabilities.
To augment your API gateway’s security capabilities, you should consider an API-security specific solution.
Inside-the-Perimeter Visibility and Security
The API gateway helps manage authentication and authorization, sitting in front of your APIs. However, attackers increasingly manage to bypass this security perimeter, expanding the attack surface to the API runtime environment.
Organizations need visibility into and monitoring over the inbound API requests and their associated outbound API responses to mitigate risks arising from insider threats like:
- Attackers setting up fake customer accounts to gain access to production APIs
- Disgruntled employees trying to steal sensitive data
- Business competitors attempting to access intellectual property or financial data
Discover and Classify All APIs
Typical perimeter API security tools only block unauthenticated attackers, providing little information beyond network factors. These tools remain limited to the APIs that you know about. However, you need insight into all APIs with continuous traffic scanning at runtime to discover new APIs, classify them based on domain, and track usage over time.
An API-security-focused solution should:
- Provide detailed API transaction data
- Categorize API calls
- Gather information that helps generate accurate OpenAPI specifications
- Automate risk assessment scoring
Capture Payload Request and Response Data
Perimeter solutions provide insight into requests, only storing metrics or limited metadata. They often fail to capture forensic data about responses because runtime analytics can create latency.
An API-security-focused solution sits inside this perimeter to:
- Capture API requests and responses
- Provide runtime analysis
- Tune inspection, detection, and analysis to specific API types
- Help security teams hunt for zero-day exploits related to their unique API landscape
Graylog API Security: Inside-the-Perimeter Monitoring with Actionable Solutions and Remediation Tips
Graylog API Security is continuous API security, scanning all API traffic at runtime for active attacks and threats. Mapped to security and quality rules, Graylog API Security captures complete request and response details, creating a readily accessible datastore for attack detection, fast triage, and threat intelligence. With visibility inside the perimeter, organizations can detect attack traffic from valid users before it reaches their applications.
Graylog API Security captures details to immediately identify valid traffic from malicious actions, adding active API intelligence to your security stack. Think of it as a “security analyst in-a-box,” automating API security by detecting and alerting zero-day attacks and threats. Our pre-configured signatures identify common threats and API failures and integrate with communication tools like Slack, Teams, Gchat, JIRA or via webhooks.