Discovering and Protecting APIs Anywhere

June 29, 2022

Ed O'Connell

Post Featured Image

For most organizations, the last few years have been a period of dramatic change as the pandemic forced them to rapidly evolve their operations in order to maintain relevance.  

During this intense period, many had to quickly update old applications, or build out new applications and cloud infrastructure to meet operational needs. In doing so, they had to make fast choices around application design, performance and proximity to customers. This forced many organizations to add more ‘regions’ or ‘zones’  within the cloud environments they were already operating in. They also spun up in completely new cloud environments altogether to instantiate operations where they were needed. Some organizations built out hybrid infrastructure in order to meet compliance needs, or to simply stretch ROI out of existing private infrastructure.

APIs are critical to digital infrastructure

In building out their distributed infrastructure, organizations also built out a more complicated web of Application Programming Interfaces (APIs). These APIs are core to enabling intra-microservice communications and access to 3rd party verification and data sources. In 2019, Akamai noted that 83% of Internet traffic was API-based communication. As organizations build out more of their application infrastructure, APIs take a greater importance to their operations.

API Security is important

APIs are core to Inter-application communication and access to 3rd party verification and data sources therefore securing them is critical to avoiding data breaches.  The surface area for APIs will continue to expand as new applications, products, or markets are added.  And as the number of APIs grow, it will become difficult and time-consuming for AppSec personnel to catalog and secure them. If APIs aren’t monitored or secured then they are easily exploitable by attackers who only have to issue simple scripts to pull information. 

Ensure secure revenue growth

As organizations continue to evolve and build out their digital operations, they need to recognize that securing APIs become core to their operational tenets. Security for APIs should enable the distributed digital infrastructure to operate without impacting its agility.

In order to deliver the desired operational outcomes of agility, speed and operational protection, API security should deliver to the following requirements:

  • Discovery should be automated to maintain current with the evolving application/API landscape. Find and visualize all APIs regardless of source/destination within infrastructure
  • APIs should also be continuously analyzed and categorized so misconfiguration and security issues are immediately highlighted. 
  • Prioritization of issues is critical in order to reduce risk and exposure and maximize AppSec personnel time and efforts
  • Information on APIs (e.g., type, source, destination, etc.), issues, and steps to be taken should be easy to understand and available to the responsible administrators. Administrators should not need training in order to be productive.
  • Integration with ITSM, SIEM and SOAR tools to easily align with IT/Security operations and reporting requirements.
  • Drive remediation of API misconfiguration or security issues via integration with IT infrastructure (e.g. Firewalls, Web App Firewalls, API Gateways, etc.).
  • Adherence to regulatory or industry requirements for data protection with geo-specific processing of sensitive data.
  • Scale up and out aligned to evolving distributed cloud/on-prem infrastructure without latency to discovery, analysis or remediation of APIs.

Introducing Noname Security Remote Engine

Noname Remote Engine is an extension of the Noname API Security platform designed to enable a sprawl of APIs across cloud and on-prem infrastructure to be quickly discovered, analyzed and viewed singularly. Remote Engine is instantiated on remote cloud and/or on-prem environments where applications have been set up, and performs local discovery and analysis of APIs.  Remote Engine can be readily installed in a multitude of cloud (i.e., AWS, Azure, and Google) and on-prem environments or a combination thereof to provide complete visibility and security control over APIs.  

 

Each Remote Engine instantiation utilizes local resources to automate the capture of network traffic to enable discovery and analysis of APIs. Remote Engine only communicates the metadata about the APIs back to the primary Noname management application for review, cataloging and remediation.  No data contained within the APIs (e.g., PII) secured by Noname ever leaves the perimeter of the cloud or on-prem environment.  This enables organizations to adhere to compliance requirements such as PCI-DSS, PII, and others. 

The centralized Noname management console provides  a consolidated view of the APIs and drives remediation of API misconfigurations and security issues. It drives remediation via integration with network and application resources (e.g., Firewalls, Web Application Firewalls, and API Gateways).  Remediation can be manual or automated via ITSM, SIEM or SOAR integration.

Remote Engine enables a distributed framework of applications and APIs with scalability, automation, and a simple point of control for all APIs from the Noname Security SaaS management console.

Conclusion

In the past few years, organizations have had to make a dramatic shift in their digital operations in order to evolve to the conditions of the market. This dramatic shift has come in the form of delivering more applications across a greater number of cloud environments in order to keep pace. This shift has caused a skyrocketing number of APIs to be developed and deployed to connect the sprawling digital infrastructure. And subsequently, a greater attack surface and higher operational risk have emerged. API Security is crucial to driving digital transformation and ensuring compliance. APIs must be accounted for and secured but doing so shouldn’t impact agile digital operations. Noname Security’s Remote Engine enables organizations to build and secure out their sprawling digital infrastructure as needed where needed. It enables agile digital infrastructure to be readily discovered, analyzed with fast remediation.

Additional Resources