Does an API Gateway Provide Sufficient API Security?

Enterprises pursuing more strategic approaches to API deployment and management often opt to deploy API gateways. API gateways act as a centralized control point for API traffic management and governance. This can be very helpful as API usage scales, since it provides a simple and consistent interface for API consumers even as back-end application infrastructure and microservices evolve on a near-continuous basis. API gateways also play an important role in API quality assurance by providing key scalability functions like load balancing and rate limiting.

In addition to their operational benefits, API gateways also perform several important security functions. But it’s important for security leaders to understand where API gateways provide security value and where critical gaps must be filled with complementary API security technologies.

What types of security features do API gateways offer?

Many of the categories of vulnerabilities included on the OWASP API Top 10 relate to incorrect implementation or configuration of specific API functions. So one of the overarching ways that API gateways enhance security is by bringing order and consistency to foundational aspects of API security like:

• SSL/TLS encryption
• Authentication
• Authorization

In addition, the fact that API gateways have visibility into most API activity makes them an excellent source of log data that can feed enterprise reporting and security tools.

And perhaps most importantly, the same rate limiting features that help with performance and scalability are also powerful tools for preventing or responding to API attacks and abuse. For example, if requests exceed certain volume or payload size thresholds, bandwidth can be limited or client sessions can be terminated altogether.

Is the API gateway enough for security?

The capabilities described above provide a valuable foundation for your API security strategy, But they are not sufficient on a stand-alone basis. Here are a few reasons why.

API gateways don’t see everything

Just because an organization mandates the use of an API gateway for all API creation and usage, it does not guarantee that this guidance will be followed in 100 percent of cases. Rogue or shadow APIs are still likely to appear in organizations that use an API gateway, whether due to developer error or other factors such as mergers and acquisitions. Similarly, there may be forgotten zombie APIs that predate the implementation of the API gateway and remain as hidden attack vectors.

Integrated detection and alerting are insufficient

Most of the integrated security features included with API gateways are policies for functions like rate limiting and built-in authentication modules. While these types of security features can be useful, they aren’t capable of detecting and stopping attackers. For example, some of the biggest threats that many organizations face come from API abuse that blends seamlessly with legitimate usage over extended time periods.

The risk of false positives risk limits the utility of automated responses

One of the most impactful roles that API gateways can play is taking automated responses to throttle or block threat actors attacking or abusing APIs. But many organizations are hesitant to use this power beyond their foundational policies. After all, false positive responses have the potential to disrupt legitimate API usage and lead to negative business consequences. So situational responses based on threat detection can only be used when the security team has high confidence in their detection accuracy.

How does API behavioral analytics complement an API gateway?

Combining the foundational capabilities of your API gateway with a specialized API behavioral analytics solution like Neosec is the most effective way to protect against the full array of API threats and risks. It overcomes the API gateway security limitations described above while also enabling more effective API discovery, threat detection, and response.

Perform continuous, enterprise-wide API discovery

When it comes to API discovery, Neosec can consume information from your primary API gateway. But in addition to this, Neosec also ingests traffic and activity information from all other available sources, including:

• Any legacy API gateways
• Content delivery networks
• Cloud providers
• Log management systems
• Orchestration tools

By monitoring all of these available data sources continuously, Neosec can discover any rogue or zombie APIs and bring them into the visibility of the security team. From there, any legitimate APIs can be integrated with the API gateway for better performance and governance. Meanwhile, any unsanctioned APIs can be decommissioned.

Detect the full array of possible API threats

Neosec’s API behavioral analytics capabilities augment traditional signature-based detection with anomaly detection based on a contextual understanding of the users and business entities represented in API activity. This makes it possible to detect a much wider array of API threats, including API abuse that would otherwise be hidden among legitimate API usage.

Automated response to active threats

Because API behavioral analytics is able to detect and analyze possible attacks and abuse with much greater accuracy than traditional API monitoring techniques, security teams have a greater ability to create automated response playbooks with confidence. This includes initiation of automated responses by your API gateway to limit or cut off API access from threat actors. 

See for yourself how behavioral analytics can unlock more value from your API gateway

Interested in seeing how API behavioral analytics can be combined with your API gateway to reduce risk and improve security team effectiveness?

Request a free trial of Neosec today to see first-hand how our cloud-based approach can be deployed quickly and provide the necessary foundation for your API security program.