Improve Application Security and Prevent Data Loss with Gloo API gateway 

Solo.io Engineering | April 28, 2020

Many publicly facing applications are designed to connect businesses with their customers and partner ecosystem to manage their accounts, fulfill purchases and process transactions that use personally identifying and financial information or other sensitive data. With that in mind, we’ll dig into the role of an API gateway to improve security with features to prevent data loss or leakage. 

 

What is Data Loss Prevention (DLP)?

Data loss prevention is a method or software for detecting potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage). Examples of sensitive information include personally identifiable information like full name, email address, government ID numbers (social security, driver’s license, passport), banking account, and credit card numbers. 

Role of API Gateways and Data Loss Prevention with Gloo 

API or Edge gateways present a control point for managing and securing the connections between end users or clients and the backend application services they are trying to access. Key functionality in an API gateway is to be able to abstract the API implementation from how it is handled allowing for things like request/response transformations and more.  

Gloo is an Envoy Proxy based API gateway and control plane that provides a lightweight, scalable and highly flexible set of configurations for handling application traffic. Envoy is a high performance, cloud-native edge proxy that is configured by a series of filters to shape and secure the traffic that flows through it. Gloo Enterprise includes a Data Loss Prevention feature and achieves this functionality with a series of regex replacements on the response body to transform the response to mask the sensitive data. 

Data Loss Prevention (DLP) is implemented as one of the filters you can configure in the Envoy proxy through the Gloo Enterprise control plane. The current order of filters that can be configured for incoming traffic are:

  1. Fault Injection
  2. CORS / Data Loss Prevention (DLP)
  3. Web Application Firewall (WAF)
  4. Authentication
  5. Rate Limiting

The Data Loss Prevention feature is configured as a list of Actions, applied in order, on an HTTP listener, virtual service, or route. When configured, it can mask sensitive data like a social security number and credit card by transforming the response in the example below.

into this response:

If you’re interested in Data Loss Prevention, give the feature a try and give us feedback. We are also interested in learning more about your application and data security needs and how Gloo can potentially help.

 

Back to Blog