How API gateways support zero trust architecture
As the zero trust model increasingly becomes the norm, API gateways will serve as critical support in organizations’ efforts to harden their security efforts. In this post we take a deep dive into what zero trust architecture looks like and how API gateways help enforce it.
The pillars of the zero trust maturity model
The zero trust maturity model includes five distinct pillars – with incremental advancements toward optimization. The pillars are:
- Application workload
Each pillar also includes general details regarding visibility and analytics, automation and orchestration, and governance, and can progress at its own pace and can (and should) maintain its own maturity model.
The identity pillar matures like this:
- Traditional implementations rely on password or Multi-Factor Authentication (MFA), both of which provide limited risk assessment options
- Advanced implementations include MFA and identity federation across services
- Optimal implementations will include continuous validation and real time analysis
An API gateway can provide implementation of the identity pillar across all three maturity stages, making it a key component for enforcing zero trust.
Adding the support of an API gateway
An API gateway provides the ability to establish MFA, identity verification and federation, and continuous validation and real time analysis – like being able to check and analyze each incoming request based on configured parameters. API gateway analysis capabilities can be augmented with real time feeds or machine learning models.
End user authentication and authorization technologies – like OIDC and OAuth – are an example of enforcement provided by API gateways. This is an important use case that most mobile applications use to connect to services. Every time you see “Log in with Google” or “Log in with Facebook,” that’s an example of federated identity, usually enforced by an API gateway.
API gateways will continue to play an important role in implementing zero trust architecture. In addition to authentication and authorization, API gateways will:
- Continue to provide security mechanisms for traditional applications, including encryption in transit
- Provide a line of defense against DDOS attacks
- Provide WAF capabilities, including protection against OWASP top 10 security risks
- Be used to implement Defense in Depth style security
But API gateways also can’t implement zero trust alone.
The limitations of API gateways for zero trust
Most API gateway-based implementations for legacy systems rely on “implicit trust” between the two, which conflicts with the core principle of adaptive evaluation of trust within zero trust architecture.
When seeking optimal maturity level implementation of each zero trust maturity model pillar, API gateways have a few gaps:
- Identity and device pillars: API gateways do not have an inherent automation and orchestration capability and need to rely on external systems
- Network/environment, application workload, and data pillars: API gateways cannot support optimal implementation of zero trust if capabilities like encryption cannot be provided by other systems in the environment
A service mesh can help address some of those gaps.
API gateway versus service mesh for zero trust
API gateways have evolved mostly in the traditional stage, so they are largely deployed at the perimeter. In a service mesh, a subset of the gateway (or mini gateway) capability is deployed with each resource as a policy enforcement point. All the mini gateways are controlled via a central control plane or policy decision point. This way, each individual resource does not have to implicitly trust any other entity and its gateway will perform the necessary tasks for identity verification and enforce policies if required.
While an API gateway provides capabilities to implement an optimal identity pillar, a service mesh provides capabilities for implementing optimal identity, network/environment, application workload, and data pillars, according to the CISA maturity model and NIST framework.
How Solo.io can help
Zero trust will continue to become an important security strategy, but organizations will need to consider other security aspects, like Defense in Depth, to build a robust secure environment. Solo’s products provide building blocks for implementing both, giving you the capabilities and confidence you need to ensure that your environment is as secure as possible.
Gloo Gateway provides multiple security features, including:
- Control ingress and egress traffic at the edge with this model
- Authenticate and authorize all incoming and outgoing traffic
- Encrypt all connections including connection to resources
- Integrate with external authentication/authorization providers
Gloo Gateway’s architecture enables users to significantly reduce their API gateway footprint (vs. legacy API gateways), as well as improve overall scalability and reduce application latency.
Additionally, the overall Gloo Platform integrates API gateway, Kubernetes Ingress, service mesh, and cloud native networking technologies into a unified, multi-cloud application networking platform.BACK TO BLOG