API Security: where API Gateways come short

API Gateways, and how they deal with API security, has been the talk of the town for the past few years. However, most solutions on the market look at this from the perimeter angle. For them security stops at the entry-point of the API provider, neglecting the fact that we are not talking to a single API but to an eco-system of services that potentially consists of hundreds of APIs. Not only do we have to validate the access rights of the end-user or client but we must also consider the delegated rights of involved parties (APIs).

Challenge or Opportunity?

With the increasing popularity of APIs, also increases the demand for API Gateways. However, API Gateway vendors today seem to make the same mistake as Web Access Management vendors did more than a decade ago. They focus mainly on perimeter authentication, identification and authorization.

Even in traditional Web environments, we’ve learnt that all backend tiers (caching proxies, application servers, content management systems and back-office applications) had to know on whose behalf they were executing some transaction. In many cases, it even went that far that accounts had to be created on these intermediate tiers. Understandably, most organisations didn’t go that far and decided to implement security at network level only (e.g. SSL).

In the API era, this is no longer an option. Where there used to be just a few internal tiers in Web environments, for APIs we talk about hundreds of services, both internal and external.

It is no longer possible to rely on secured networks to create trust between all these APIs. Furthermore, protocols like OAuth and OpenID Connect on their own, only play at the perimeter level.

TrustBuilder IDHub not only implements these protocols, but also provides all the extensions that allow these protocols to be used beyond the perimeter of an organization, addressing also all the APIs individually. It does this by providing token validation, authorization, delegation and exchange services that can be called from the APIs. Where available, based on Open Standards. This allows to create a more secure eco-system of both internal and external APIs where the identity and privileges of the client and all intermediate services can be validated at each hop.

Business Benefits

  • Reduced cost: all APIs can leverage an infrastructural security service
  • Increased security: extend security from the perimeters to each individual API

 

TrustBuilder is the Number One product offering pervasive local and Cloud Access Management

 

To receive our technical white paper 

Check more key topics? Go to the overview of Secure Digital Enterprise opportunities