Achieve Compliance, Zero Trust with Istio Ambient Mesh

READ THE WHITE PAPER

API Gateway Security

API Gateway Security: 7 Best Practices

Series: API Gateway

What Is an API Gateway?

APIs are a critical part of the information economy, allowing large numbers of applications to communicate and work together seamlessly. However, the heavy reliance on APIs creates a challenge for security and management. An API gateway is a middleware component mediating the requests between APIs and various services.

The primary function of an API gateway is to serve as the single entry point for all data, applications, and services to interact with an organization’s internal and external customers. It provides a standardized interaction process to make API communication more manageable and secure. 

A key function of API gateways is to improve the security of APIs and the data they provide. API gateways also perform additional functions supporting API workflows, including rate-limiting, authentication, and analytics, many of which can also contribute to your API security posture.

What Is API Security?

API security involves protecting APIs from cyberattacks. APIs can be vulnerable to various threats, just like applications, networks, and servers can be the targets of an attack.

API security is a key aspect of securing web applications. Most web apps today rely on APIs to operate, making them accessible to external parties. APIs thus pose additional risks to applications. 

Using APIs is equivalent to opening a business’s doors to the public. If many people are in the office, and not all are familiar or trusted, they can expose the organization to more risks. Likewise, APIs make programs available to outsiders and pose a greater risk to the API service infrastructure.

The API Gateway's Role in Security

An API gateway typically has monitoring and logging features to track, record, and analyze API calls and responses. These capabilities are essential for troubleshooting errors and ensuring security. An effective API gateway should have a bottom-up design to guarantee strong security. 

API gateways can usually perform these functions:

  • Act as a proxy point to the control APIs inline.
  • Authenticate the identity of all API requests by validating credentials, ID tokens, and more authentication methods.
  • Determine the traffic allowed to reach the back end via the API.
  • Use rate-limiting and throttling to measure traffic passing through each API.
  • Enforce security governance by implementing runtime policies and logging all API transactions.
  • Provide an added layer of security for back end services powering APIs.

7 API Gateway Security Best Practices

An API gateway is a trusted source connected to many enterprise assets. If compromised, an API gateway can cause critical security problems. Here are key best practices to help you secure API gateways:

1. Use HTTPS Communication

You must always ensure that all communications between your API gateway and the clients are transmitted over HTTPS, even if there is no requirement for authentication. You should do this for existing API gateways and when conducting a security audit of an existing setup. 

Configuring secure and reliable authentication is especially important for content restricted to logged-in users. Authentication makes it harder for threat actors to impersonate a legitimate with compromised credentials. 

You should implement authentication and HTTPS at the API gateway level instead of on individual microservices. It can help you avoid wasting time on repetitive efforts and establish a consistent approach across the application.

2. Use a Centralized Authentication Server

You should never allow gateways or APIs to issue access or refresh tokens. Only a centralized authentication server should issue these tokens. A token issuance process involves various complicated steps, including server authentication, user authentication, client approval, token verification, and more.

The authentication process requires access to many data sources, including client information and authentication techniques. Using multiple entities to issue and sign tokens can lead to complexity, making it difficult to manage the process. Instead, you should use one centralized entity to handle these processes safely.

3. Limit Requests

API rate limiting helps prevent excessive API requests from overwhelming upstream services, a technique often utilized during Distributed Denial of Service (DDoS) attacks. Once you limit rate requests, the API gateway can only accept a specific number of simultaneous client requests during a given time. Here are two common techniques:

  • Throttling—a technique that enables you to reduce bandwidth or terminate client sessions if overload occurs. 
  • Size limiting—use this technique to configure the API gateway to block client request payloads exceeding a predefined size.

4. Implement Monitoring and Analytics

You can learn about service health and performance by monitoring APIs. It provides visibility into potential threats or problems services currently face. API gateways centralize metrics and logs aggregation, capturing information about traffic and requests. 

You can export this centralized and aggregated data to security information and event management (SIEM) tools for visualization, alerting, and analysis. An API gateway utilizing monitoring tools can help detect attacks, identify the involved IPs, and learn whether the actors used internal IPs to launch attacks.

5. Leverage Serverless Functions

Serverless functions enable you to run code snippets in cloud-managed and secured computing environments. A serverless function runs code in response to specific events or HTTP requests. Once it runs, the system destroys the ephemeral computing infrastructure, effectively removing backend servers from exposure to potential attacks. The client can only access the API gateway in front of the function.

6. Implement API-led Connectivity

You should create separate API gateways for each use case when your application utilizes various connections, such as IoT devices, mobile apps, and integration with internal systems. This separation can help prevent exposing endpoints intended for internal use to external connectivity. 

You should restrict an API gateway intended for internal applications to the organization’s network or use an allowlist of authorized clients. This practice can help protect against unauthorized access.

7. Manage Deprecated APIs

You must keep track of all APIs, remove all unused APIs, and deprecate old versions that do not include new security measures you have implemented at the application level. By managing APIs through an API gateway, you gain visibility into your APIs and the ability to measure and analyze their usage.

API Gateway Security with Gloo Gateway

Gloo Gateway enales robust API Gateway security by providing defense-in-depth:

  • Transport Layer Security (TLS and mTLS)
  • Secrets Management (Kubernetes and Hashicorp Vault)
  • Extensible AuthenticationAPI keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
  • Access Logging
  • Built-in Web Application Firewall (WAF)
  • Built-in Data Loss Prevention (DLP)
  • Federated RBAC
  • Open Policy Agent for authorization
  • Integrated Vulnerability scanner

Learn more about Gloo Edge Gateway

Sections