How API gateways improve API security

Importance of APIs

APIs stipulate how software applications interact with each other and are used extensively in microservices. Uber, Amazon, Spotify and most other major enterprises rely on a microservices architecture where self-contained microservices manage a specific element of a business activity. This approach significantly simplifies the development, deployment and maintenance of complex products and services by using APIs to interact with them.

APIs enable development teams to design products that interact with a service without needing in-depth knowledge of how that service works. For example, the public Google Maps API lets anyone access more than 20 petabytes of data through a simple API request. While a request to find a restaurant's location may appear simple, validating it, collecting complex responses from multiple services -- map location, photos, reviews, directions, opening times, etc. -- and combining them into a single response is extremely complex. This is why enterprise APIs get deployed with API gateways, middleware that enable access to disparate services and data through a single API call and return a single unified response.

API gateway capabilities

An API gateway is a software layer that acts as the sole interface between client requests handled by multiple back-end systems. It sends requests to the appropriate services using request routing, composition and protocol translation, and it then returns the requested data.

API gateways also provide important admin and service functions, as well as security features. They improve performance, availability and scalability, while simplifying how different services connect and share data. API gateways also add an extra layer of protection because it prevents direct contact between clients and back-end services.

The top admin and service benefits provided by an API gateway include the following:

• Routing. The API gateway routes incoming requests based on factors such as request path, headers and query parameters. Depending on the type of client and device, the gateway can route the request to device-specific APIs. Routing is also useful during blue/green and canary deployments to eradicate downtime when updating services.
• Load balancing. An API gateway can efficiently distribute requests across multiple instances of a back-end service to improve scalability and availability and ensure users receive a consistent and reliable service.
• Caching. A gateway can cache commonly requested data to improve the API performance so response times are faster and back-end services receive fewer repeat requests.
• Protocol translation. An API gateway can translate protocols to simplify communications between clients and back-end services. For example, if a request requires the response in JSON, the gateway automatically converts the response from a service that uses XML. It can also finesse the contents of a response depending on the type of device or user instigating the request.

Security-specific features of an API gateway include the following:

• Security policy enforcement. Because APIs provide access to sensitive data and resources, they are a target for every type of attacker. API gateways, which manage all API traffic, are an excellent control point from which to enforce policies and rules such as authentication, authorization and access control that protect the underlying services.
• DDoS protection. Control over the number of API calls within a specified time ensures back-end processing capacity never gets exceeded even if an attacker tries to flood the microservices with traffic. Having complete visibility into each request also enables the API gateway to detect brute-force attacks. Additionally, it can function as a circuit breaker to halt connections if requests are likely to fail due to problems with related services.
• Monitoring. Because all requests go through the API gateway, it can collect data to provide analysis and insights into API traffic and service usage to help with security, error detection and maintenance.

API gateway security best practices

To keep your API gateway, API traffic and network services secure, it is important to implement the following best practices that enable your gateway to handle any attempts to disrupt or attack any of these components:

• Centralized authentication. APIs provide access to sensitive and restricted data, so strong authentication is essential. Centralizing authentication at the gateway removes the risk of each microservice trying to securely implement what is a complex task. It also makes code easier to write, read and maintain. Better still is using a centralized authentication server to manage the authentication and token issuance processes.
• Traffic encryption. Implementing HTTPS for all API traffic is best done at the API gateway level and not on individual microservices. This ensures consistency and avoids the need for repetitive configuration across multiple systems, preventing potential mistakes.
• API request validation. Validating API requests before the gateway forwards them to back-end services halts erroneous requests and mitigates the risk of injection attacks. Standardize error responses to prevent exposing sensitive information in the error message.
• Rate limiting. By controlling the number of API requests, a gateway can prevent excessive malicious or genuine API requests from overwhelming services. This prevents DDoS attacks from taking services down and limiting cascading failures in an overloaded system.
• Monitoring and analytics. API gateways can generate execution and access logs and then send them to a SIEM system for further analysis and the detection of potential threats and problems. The visibility and metrics the gateway can provide into API usage help solve client access and request issues, as well as spot if deprecated APIs are still in use.

Additional security alongside API gateways can help further protect APIs. For example, gateways benefit from being behind a web application firewall (WAF). A WAF can limit access and block requests from known malicious IP addresses and filter out malformed or suspicious requests to protect against common web exploits, such as SQL injection attacks.

To reduce contagion in the event of an attack and to more easily restore or debug a microservice, always deploy separate, dedicated API gateways for each use case, such as internal access and IoT devices. This reduces the possible attack surface and makes it easier to configure dedicated rules and policies for each particular type of service.