Perimeter Security
November 8, 2019

Security-First API Maturity

Security

Mitigating common weaknesses & vulnerabilities for APIs and microservices with Akana best practices.

Perimeter Security: Microperimeter-Based Deployment Model

The NIST Zero Trust Architecture describes a Microperimeter-Based Deployment model as a "variation of the device agent/gateway model."

In this model, the gateway components may not reside on systems or in front of individual resources. Instead, they reside at the boundary of a resource enclave. This could be a cloud IaaS instance in a virtual private cloud dedicated zone (VPC), Virtual Private Network (VPN) or dedicated MPLS copper or optical carrier leased line VLAN, or minimally a Mutual TLS 1.2+ https tunnel over public shared networks. 

This deployment model is effective to create trust between an enterprise application or system and external cloud-based microservices and APIs (such as postage and address verification). In this model, the entire private cloud is located behind an API gateway.

How Akana Provides Perimeter Security

Policy Enforcement Point

The Akana API Gateway acts as the Policy Enforcement Point (PEP) and is a logical component of a complex integrated distributed computing system. This system is implemented as a cluster of load-balanced protocol and message network layer gateways for OAuth, OpenID, REST, and SOAP. It can also serve as a gateway for asynchronous message bus requests such as JMS, AMQP, and emerging low latency protocols to scale to handle large message volumes.

NIST illustrates this below with the language "gateway portal", defined as a network abstraction layer for an individual resource or a micro-perimeter for a collection of resources.

API Gateway PEP
A gateway portal into a private cloud or data center containing legacy applications. [source: nist.gov]

Policy Administration Point

A network API Gateway is not to be confused with the Policy Administration Point (PAP), as illustrated below. The PAP is the interface or tool that enables the creation and editing of digital policies and rules. This functionality is found in Policy Administration within the Akana Community Manager.

API Gateway PAP
[source: nist.gov]

Policy Decision Point

The Policy Decision Point (PDP) is the component of a policy-based access control system that determines whether or not to authorize a user’s request. This determination is made based upon applicable attributes and security policies associated with the resource for which the user is requesting access.

In more technical terms, the PDP is a relational database of the enterprise’s decision-making, acting as a persistence storage layer for the API gateway. The PDP takes into account Swagger (2.x), Open API Specification (OAS 3.x), descriptor documents (WSDLs, WADLs, RAML), UI graphics, and other API documentation to orchestrate and mediate requests for tokens and JSON messages.

API Gateway PDP
[source: nist.gov]

Other Security Considerations

The PAP, PEP, and PDP are all critical to perimeter security and authentication. Also important is the programming model. Those running API servers and microservices meshes of sidecars directly on an OS using non-containerized interpreted scripting programming models (node.js, php, Python, C++, etc.) lack the "sandboxing" and mediation benefits of PKI and mutual TLS mediation. The benefits help to mitigate the risks of doing business as identified in the OWASP Top Ten and MITRE SANS CWE Top 25.

More About API Security With Akana

The 2018 Forrester Wave API Management Solutions report evaluated 15 vendors across 26 criteria – with Akana coming out on top in API security as the only vendor with a perfect score for the category.

Find out what they have to say about the strength of Akana’s security and policy capabilities in the full report.

Get the Report