Best Practices in Deploying API Gateways

ForumSystems|www.forumsys.com|888.811.0060|75SecondAvenue,Suite520Needham,MA02494

BestPrac*cesinDeployingAPIGatewaysAPIWorld2017

GregDiFruscioDirectorofSupport

gdifruscio@forumsys.com

Why they are an essential component of a secure, robust and scalable API infrastructure.

Best practices and common deployment scenarios of API Gateways.

TYPESofAPIGATEWAYS

#1 APIGatewayBasics

Deployedsimilartoareverseproxy(protocolbreak)ThegatewayrepresentstheendpointAPIandappearstotheconsumerasifitistheapplica*onorserviceitselfCanbelocatedon-premiseorincloudMovethesecurity,iden*ty,andmanagementprocessingouttotheAPIGateway*er–lettheAPIsfocusonthebusinessrequirementWhileAPIGatewaysexposetheAPIs,notallAPIGatewaystrulysecuretheAPIs

IAM(Iden*tyandAccessManagement)designedforIden*tyandAccessControlandcentralizingIAMagentsIAMGatewayproductssupportlimitedAPItypes(i.e.REST)Limitedsupportfornetworkprotocols(i.e.RESTAPIsoverHTTP)VeryliUleornoabilitytoprovideinforma*onassuranceoftheAPIdataTypicallybuiltoninsecureplaVorms–soWwareonlyorunhardenedvirtualappliance

#2 APIIAMGateways

Moreversa*lethanIAMGatewayswithbroadersupportforAPItypesandnetworkprotocols

EvolvedfromESBintegra*onplaVormswhereintegra*onandpayloadconversionarecorefunc*ons

Usuallydevelopercentric

OWenprovidedeveloperportalsforAPIconsumers,selfdocumen*ngAPIs

TypicallybuiltonopenplaVormsdesignedforflexibility

Inherentlysuscep*bletoaUackandcompromise

#3 APIManagementGateways

Securityfirstfocus–productformfactorsandfeaturesetsProductshardenedagainstcyberaUack–closedsystems

IncludeAPIIden*tyfeaturesfromIAMspace

IncludeAPIGovernancefeaturesfromAPIManagementspace

IncludeAPISecurityfromCybersecurityspace

SupportforwidearrayofAPItypesandnetworkprotocols

Focusoncontentlayersecurity(e.g.schemavalida*on,encryp*on,dsig)inaddi*ontoTLS

Bi-direc*onalscanningtopreventthreatsaswellasdataleakage

#4 APISecurityGateways

WhichtypeofAPIGatewayisrightforyou?IsHTTP/Sonlyprotocolsufficient?

AreRESTAPIservicestheonlytypeyouwillneedtosupport?AreyouconcernedaboutmalwareandotherAPIexploitsembeddedwithinthepayloads?

Doyouneedtosupportlegacyapplica*onsandservices?

Areyouconcernedwithdataleakageandsensi*veinforma*onloss?

DEPLOYINGAPIGATEWAYS

On-Premiseorcloud?

Hardware,virtual,soWware,AMI,other?

#1 Loca*onandFormFactor

Wherearetheservices?

Wherearetheclients?

Wherearetheuseriden*tyrepositories?

APItypes(e.g.REST,SOAP,XML,WebPortals,etc.)Networkprotocols(HTTP/S,SFTP,JMS,SMTP,AMQP1.0,mixing)

Iden*ty,accesscontrol,andSSOrequirements(Iden*tyRepositories)

APIsecurityrequirements(TLS,Schemavalida*on,AVscanning,parametervalida*on,methodvalida*on,etc.)

APIintegra*on/media*onrequirements(JSONto/fromXML,etc.)

Loggingrequirements

CustomErrorhandling

#2 UseCaseDiscussion

SimpleisbeUer(pointandclick,nocodingnecessary)Erroronthesideofsecurity

Startbasicandaddprocessinglayers

Reusingpolicyobjects

Policynamingconven*ons

Propaga*onofpoliciesacrossenvironments

Automa*onviaAPIs

#4 PolicyConfigura*onandManagement

AskyourvendorforasecurityreviewofyourpoliciesCheckforsensi*veinforma*oninlogs

CheckforweakciphersandTLS/SSLprotocols

Posi*veandnega*vetes*ng

Reviewerrorsgeneratedongatewayanderrorsreturnedfromapplica*ons

Doitbeforemovingintoproduc*on

SchedulethemoWen

#4 SecurityReview

BESTPRACTICESINAPISECURITY

SecureOS–theinfrastructureisatarget

Securepolicy/configura*onstorage

Protectyourprivatekeys

#1 ProductSecurity

#2 APISecurityPolicy

Aimforagentlessapproach

Protectiden*tyrepositories

UseSSOandFedera*on

#3 APIIden*tyMul*-Contextauthen*ca*onandauthoriza*on

Reducedependenciesonvendorspecificimplementa*ons

Rewri*ngURLs–obfuscateyourpathMappingpayloadformats–forintegra*onaswellassecurity

MappinguseraUributeinforma*onretrievedfromiden*tycall

QueryingLDAP,Databases,APIs(t-junc*onprocessing)

Networkprotocolmedia*on(e.g.HTTPSto/fromAc*veMQ)

#4 APIIntegra*on

IntegratewithcentralSIEM/loggingsystem(e.g.Splunk,ELK,Graylog,etc.)

Buildreal*meDashboardsfromgatewaylogs

Leveragebigdataanaly*csforalerts,trends,reports

#3 APIMonitoring

ChoosetherighttypeofAPIGatewayforyourcurrentandfutureneeds

DecidewheretheAPIGateway(s)willliveandwhatformfactorsarecorrectforyourenvironment

Spendthe*meupfronttoarchitectthesolu*onandbuildthepoliciesinaccordancetoyourplan

YourAPIsandyourAPIinfrastructurearetargets–APISecuritymeanssecurityfeaturesaswellassecurearchitecture

Conclusions

ForumOS™.FIPS140-2LevelIIpurpose-builtchassis.NIAPNDPPCerPfied.PatentedcryptographicacceleraPon

FullyencapsulatedvirtualizedrendiPonofHardwaresysteminadeployableAmazonAMI

Windows,Linux,orSolarisdeployableinanycompuPngecosystem(single-packageinstallwithnodependencies)

FORMFACTORS

APISecurityGateway

FullyencapsulatedvirtualizedrendiPonofHardwaresysteminadeployableOVAVMWareimage

Hardware

Virtual

SoWware

Tolearnmorevisitusath[p://info.forumsys.com/api_world

Best Practices in Deploying API Gateways

Technology

Containerizing a REST API and Deploying to Kubernetes

GATEWAYS - RTSD

Best Practices for Designing Amazon API Gateway Private ......deploying private APIs and private integrations in API Gateway, and discusses security, usability, and architecture. This

Gateways Background

Kong: Becoming a King of API Gateways - Bleeding Edge Press · 2019-12-09 · Kong: Becoming a King of API Gateways By Alex Kovalevych, Robert Buchanan, Daniel Lee, Chelsy Mooy, Xavier

Analog Gateways - beroNet€¦ · Analog Gateways Modular VoIP Gateways that fit any need BERONET MODULAR GATEWAY DATASHEET OVERVIEW beroNet Modular VoIP Gateways hold up to two modules

BENEFITS - content.scytale.io · Security products such as network/application firewalls and API gateways, and authentication protocols such as Kerberos and oAuth, are not addressing

Living on the Edge: API Gateways - Entwicklertag · 2018. 2. 22. · Living on the Edge: API Gateways NovaTec Consulting GmbH •Built on top of the reactive Spring ecosystem: •Based

Payment gateways(PG) and SMS gateways(SG) WELCOME filevitthal_dixit@yahoo.com 1 . Agenda Need for payment gateways. Architecture of payment gateways. Working of payment gateways. Benefits

solution guiDe Deploying ArubA Wireless Controllers With ... · soluTion guide deploying aruba Wireless ConTrollers WiTh miCrosofT lynC sdn api 5 Microsoft had released sDn Api 1.2

Policy APIs: Getting Started GuideThis API endpoint allows you to configure multiple objects (Segments, Gateways, Security Policies etc.) using a single API call. A very high-level

API Gateways and Microservice Architectures

OPEN White Paper v.3 © 2018 OPEN Platform, Inc. All rights ... · OPEN seeks to provide with its platform and API primarily deals with payment gateways. The OPEN API will leverage

FINE-GRAINED AUTHORIZATION FOR THE API-ENABLED … · API Gateways are often used to protect web portals exposing different types of web services. The Axiomatics Policy Server then

Application/Data Integration API Gateways Based …...API Gateway PLM ERP MES Logistics MRO ALM Planning SAP Oracle EBS IFS Teamcenter Windchill Primavera DOORS IBM-Rational Oracle

Payment gateways(PG) and SMS gateways(SG) WELCOME · vitthal_dixit@yahoo.com 1 . Agenda Need for payment gateways. Architecture of payment gateways. Working of payment gateways.

API Gateways An overview · GraphQL is a good fit for “living” in the API Gateway §To integrate GraphQLinto an existing infrastructure, you either need to build it directly into

Deploying Multiple Interconnected Gateways in Heterogeneous

Design, Build and Manage Apiary Solutions€¦ · API Platform Discover, Try, Use Application Developers API Platform Admins Install, manage gateways, manage users & grants API Designers

Instructions for Using New API - dinstar.com Gateways HTTP API_2.pdf · Support obtaining of basic port information 1.4 Before You Start 1) The API is based on HTTP and JSON.