• Home
  • Blog
  • Improve Application Security and Prevent Data Loss with Gloo API gateway 

Improve Application Security and Prevent Data Loss with Gloo API gateway 

Solo.io | April 28, 2020

Many publicly facing applications are designed to connect businesses with their customers and partner ecosystem to manage their accounts, fulfill purchases and process transactions that use personally identifying and financial information or other sensitive data. With that in mind, we’ll dig into the role of an API gateway to improve security with features to prevent data loss or leakage. 

 

What is Data Loss Prevention (DLP)?

Data loss prevention is a method or software for detecting potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage). Examples of sensitive information include personally identifiable information like full name, email address, government ID numbers (social security, driver’s license, passport), banking account, and credit card numbers. 

Role of API Gateways and Data Loss Prevention with Gloo 

API or Edge gateways present a control point for managing and securing the connections between end users or clients and the backend application services they are trying to access. Key functionality in an API gateway is to be able to abstract the API implementation from how it is handled allowing for things like request/response transformations and more.  

Gloo is an Envoy Proxy based API gateway and control plane that provides a lightweight, scalable and highly flexible set of configurations for handling application traffic. Envoy is a high performance, cloud-native edge proxy that is configured by a series of filters to shape and secure the traffic that flows through it. Gloo Enterprise includes a Data Loss Prevention feature and achieves this functionality with a series of regex replacements on the response body to transform the response to mask the sensitive data. 

Data Loss Prevention (DLP) is implemented as one of the filters you can configure in the Envoy proxy through the Gloo Enterprise control plane. The current order of filters that can be configured for incoming traffic are:

  1. Fault Injection
  2. CORS / Data Loss Prevention (DLP)
  3. Web Application Firewall (WAF)
  4. Authentication
  5. Rate Limiting

The Data Loss Prevention feature is configured as a list of `Actions`, applied in order, on an HTTP listener, virtual service, or route. When configured, it can mask sensitive data like a social security number and credit card by transforming the response in the example below.

{    
   "fakevisa": "4397945340344828",    
   "ssn": "123-45-6789"
}

into this response:

{    
    "fakevisa": "XXXXXXXXXXXX4828",    
    "ssn": "XXX-XX-X789" 
}

If you’re interested in Data Loss Prevention, give the feature a try and give us feedback. We are also interested in learning more about your application and data security needs and how Gloo can potentially help.

[featured_boxes class=”featured-box”]

Learn More

[/featured_boxes]

 

About the Author
Darkgray Glooey Logomark V1.1 Solo.io
Solo.io connects the world’s applications with APIs and Service Mesh across any infrastructure to ease the journey to cloud native architecture
Additional Resources
post
Implementing a Custom Integration in the Gateway: An Example With AWS SigV4

April 24, 2024

Read the Article
post
Comparing AWS App Mesh and Istio for AWS Users

April 23, 2024

Read the Article
infographic
Gloo Gateway vs. Apigee
View the Infographic
post
The Battle of Titans: Kong vs. Gloo Gateway

April 19, 2024

Read the Article