API Security in the Cloud Native Era
Modern cloud native applications are composed of dozens of loosely coupled microservices, enabling developers to create complex applications with great ease and speed. This type of architecture constantly changes based on customer needs, and the decoupled nature of microservices enables developers to push new code and functionality very frequently. The connectivity and communications among microservices are via application programming interfaces (APIs) such as REST, gRPC and GraphQL. In cloud native applications, a single client’s web request (i.e., north-south traffic) that hits your Kubernetes® cluster can spawn tens or even hundreds of API calls between internal microservices (i.e., east-west traffic). It is never enough to only secure the front-end web interface of your cloud native application—you must also apply rigorous application layer protection for your cloud native APIs.
The Traditional Approach
The common approach to securing web applications in the monolith application world was to deploy a traditional web application firewall (WAF) at the perimeter, so it would be able to intercept and inspect HTTP traffic sent by web clients. This approach made total sense when the potential risk to the application was mostly from malicious user input embedded in standard HTTP web form submissions or browser requests. However, when dealing with highly distributed, cloud native microservices architecture, this approach is no longer suitable for the following reasons:
• Modern applications often consume input from a much wider range of sources. These include standard web requests, mobile device API calls, cloud events, IoT device telemetry communication, cloud storage, etc. Inspecting input at the (web) perimeter does not provide full security coverage and may miss potentially hazardous payloads.
• Client inbound HTTP requests (i.e., north-south traffic) are often the first step in a long sequence of communication flows. In many cases, a single inbound request will generate dozens of internal API calls (i.e., east-west traffic). If those internal API calls are not properly inspected and validated, API endpoints are left unprotected.
• Internal API endpoints are often misconfigured and may allow unauthorized direct access to individual microservices, essentially exposing application logic to malicious actions. For the reasons above, it is critical that all API endpoints, both external and internal, are continuously monitored and protected rigorously
SITC – Your Palo Alto Networks partner
Ready to secure your cloud-native environment? Partner with Secure IT Consult and harness the power of Palo Alto Networks solutions for API security. Don’t leave your cloud infrastructure vulnerable – fortify your defences today. Contact us to safeguard your digital assets and ensure peace of mind.
You can learn more about the elite defence solutions on offer from our team, and in our documentation, and see Palo Alto Networks’ portfolio in action by requesting an Ultimate Test Drive!
Contact Us for more information on Palo Alto Networks Solutions, to find out what this next-level portfolio can offer you.