Cloud and mobile have spawned a new breed of applications that use lightweight APIs to enable integration and cross-modal user access. As the common access point to applications, APIs should be protected by a micro-perimeter that provides three levels of security:
- Interface security to block attacks such as SQL injection and cross-site scripting
- Access control to ensure that only the right users, devices and applications are allowed to access the APIs, along with integration to enterprise identity and access management (IAM) platforms
- Data security to monitor and redact data passing through the API, including header, message body, and any attachment
Just as with application security, you don’t need to reinvent the wheel when installing a micro-perimeter around your APIs. Consider products such as API gateways that offer comprehensive API protection in all three areas.
Learn more here.
In the past, security architectures followed the so-called “M&M model” of the hard crunchy shell and soft center. The bad guys would be stopped at the perimeter. As cloud and mobile computing extend the reach of the enterprise well beyond the perimeters of the past, the traditional security model of allowing good guys in and keeping bad guys out is no longer sufficient. As counter-intuitive as it might seem, security perimeters should actually shrink in the expanding BYOx (bring your own device/application/identity) world.
In essence, what was big is now small and what was small is now big. The idea is to protect the small entities — applications, APIs, devices and data — by creating massively scalable micro-perimeters around them. The data is now protected, rather than artificially trying to place a perimeter around the organization. This approach ensures the business can benefit from the increased agility and scalability afforded by adopting a cloud strategy, and IT can be confident the company’s data is safe. The key to applying a “micro-perimeter” is to make use of an API gateway, applying security at the level of the APIs used to connect to the cloud services.
In the old days, most business applications were only accessible on the corporate network via a browser or fat client, so they only needed rudimentary authentication and authorization capabilities. Now, with the pervasiveness of cloud-based services and mobile devices, the network perimeter has effectively evaporated and application security is a front-and-center issue.
By shrinking the security perimeter to surround each individual application — meaning moving any access control that was previously implemented at the network level to the application level — enterprise IT can control user access from anywhere and any device, without having to rely on a cumbersome VPN connection.
When setting up a micro-perimeter around applications, keep in mind that building authentication, single sign-on and authorization capabilities into individual applications is neither economical nor scalable. Look for a gateway architecture that can front both new and legacy applications and support the latest federation standards such as OAuth 2.0, OpenID Connect and SCIM (System for Cross-domain Identity Management).
Learn more here.