Big Data Intelligence - Or Katz, Akamai and Tsvika Klein, Akamai
Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API...
Transcript of Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API...
![Page 1: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/1.jpg)
![Page 2: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/2.jpg)
Your APIs Maximize Resiliency, Flexibility, and SecurityLes Waltman@Akamai
![Page 3: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/3.jpg)
![Page 4: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/4.jpg)
IP
TCP
TLS
HTTP
HTML
![Page 5: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/5.jpg)
IP
TCP
TLS
HTTP
REST JSONREST XML
![Page 6: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/6.jpg)
![Page 7: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/7.jpg)
Inside the API CallSampled from a RESTful API. “EtherRain”
Client: HTTP GET https://device.ip:8080/api/4/watering/zone?access_token=8djkj2lkcjbndmk6
API Endpoint: HTTP 200 OKHeaders: Content-Type:Application/jsonResponse Body
![Page 8: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/8.jpg)
![Page 9: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/9.jpg)
Growth of Web API Use: 2014 through 2018
54%
17%
14%
14%
6%
26%
69%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2014 2018
Web Hits by Content Type
Text / HTML Text / XML App / XML App / JSON
83%API
Source: Akamai ESSL Network, SOTI Q1 2019
API calls now dominate overall
web hits
![Page 10: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/10.jpg)
Microservices
![Page 11: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/11.jpg)
PAYMENTS
BILLING
NOTIFICATION
PASSENGER MGMT
DRIVERMGMT
TRIPMGMT
PASSENGERUI
DRIVERUI
$Uber as a Microservice
or
![Page 12: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/12.jpg)
RecapAPI
![Page 13: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/13.jpg)
![Page 14: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/14.jpg)
PAYMENTS
BILLING
NOTIFICATION
PASSENGER MGMT
DRIVERMGMT
TRIPMGMT
PASSENGERUI
DRIVERUI
$Microservice Challenges
or
![Page 15: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/15.jpg)
PAYMENTS
BILLING
NOTIFICATION
PASSENGER MGMT
DRIVERMGMT
TRIPMGMT
PASSENGERUI
DRIVERUI
$Introducing an API Gateway
API Gateway
![Page 16: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/16.jpg)
API Gateway
![Page 17: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/17.jpg)
API Gateway
![Page 18: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/18.jpg)
API Gateway Redundancy
• Operate API Gateway on clustered Appliances/VMs/Containers
• Use a cloud service
![Page 19: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/19.jpg)
API Gateway Scale
DDoS attacks can target the API Gateway at Layer 7 (ie a massive number of authentication attempts)
The API Gateway shouldn’t be a choke point for critical high demand
Legitimate users can mistakenly cause high peaks
The Answer ????
![Page 20: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/20.jpg)
Introducing Akamai’s API Gateway
Turning each of our 240,000 Edge Servers into a API Gateway
• Global quota enforcement and throttling
• JWT and oAuth Authentication• API Key Authorization• Granular cache control• Message validation• API versioning control
![Page 21: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/21.jpg)
API Gateway
![Page 22: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/22.jpg)
API
API
API
API
API
APIAPI
API
API Origin
The benefit of Distributed Scale
![Page 23: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/23.jpg)
How Akamai API Gateway Adds Resiliency
Akamai API Gateway scales API Management functions the same way the platform scales everything else (ie WAF, DDoS Protection, Content Delivery, Image Management, etc.)
MAJOR BENEFIT: When the Edge server is the API Gateway, Akamai can cache authenticated API responses
![Page 24: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/24.jpg)
PAYMENTS
BILLING
NOTIFICATION
PASSENGER MGMT
DRIVERMGMT
TRIPMGMT
PASSENGERUI
DRIVERUI
$A Diverse Architecture
API Gateway
GOOGLEMAPS
![Page 25: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/25.jpg)
APIs Can Get Overwhelmed
![Page 26: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/26.jpg)
Kona Site Defender API GatewayAPI Rate Limiting
What: Protects API end points from DDoS attacks by a malicious adversary
How: Inspecting requests by source IP address and looking at additional request parameters
Granularity: KSD Policy
Each Edge Server functions independently
API Throttling
What: Protects API end points from unintentional abuse by a legitimate user
How: Inspecting requests by API key
Granularity: API Endpoint and HTTP Verb
Edge Servers collaborate together to share data
Solutions
![Page 27: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/27.jpg)
Legitimate Traffic Surges
![Page 28: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/28.jpg)
Fig. 2: Application Overload
Back-end Application
Single Page/ Native Mobile
App
Akamai Edge Server
Fig. 1: Normal Traffic
JSONXML
...
JSONXML
...
Normal Traffic Flow● All API or service call requests are
routed to the application under normal conditions
Single Page/Native Mobile
App
JSONXML
...
Back-end Application
In high demand
Akamai Edge
Server
JSONXML
...
Alternate Asset
--Akamai
NetStorage
During Application Overload● Requests are throttled to the
application● A percentage of requests are served
an alternative non-html response from Akamai netstorage
* Prioritized User Segments will access the application
while others are throttled by serving an alternate asset to all or a percentage of users
How API Prioritization works
![Page 29: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/29.jpg)
Just TOO MUCH Traffic for an API to EVER handle
![Page 30: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/30.jpg)
Let’s talk Security
![Page 31: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/31.jpg)
Web APIs Are A Primary Target For Attackers Today
Web sites & Web APIs share the same (old) attack vectors –but APIs are often unprotected
APIs are more performant and less expensive to attack
compared with traditional web forms
4Xmore Credential
Stuffing attacks on APIs
![Page 32: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/32.jpg)
What could an attack look like?
apis: [Path: “/user/{ _id}” ,- operations: [
- {method: “DELETE”,summary: “Deletes a user”,notes: “ ”,type: “void”,nickname: “delete_Id”,-authorization: {
-oauth2: [- {
scope: “write:_id”,description: ”modify ID in your account”}
]},-parameters: [
-{name: “_id”description: “User id to delete”,required: true,type: “string”,paramType: “path”,alllowMultiple: false
}],
the point of attack
HTTP Method: Are other methods handled correctly?
Oauth 2.0: are tokens enforced and validated correctly?
Is access validated? Are ids sequential? Injection point? , etc.
What if we send multiple? Or none at all?
![Page 33: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/33.jpg)
API-Specific Protection
WAF Rule Inspection
Alert or block JSON/XML
exploits
API Request
Constraints
Positive security model to
block abnormal access
Enhanced Rate
Controls
Defend against API
specific DDoS attacks
Analytics & Reporting
Faster incident
response and better false
positive tuning
NetworkLayer
Protection
IP/Geo Whitelist
and Blacklist
Client Reputation
Reputation controls
35 | Web Application Security | © 2018 Akamai | Confidential
Positive security model:Proven approach delivers zero-day protection against unpublished exploits
WAP
![Page 34: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/34.jpg)
Where do we go from here?● Understand what APIs you have, what information they contain, how they are exposed.
● How is your API traffic routed? Are there efficiencies? What visibility do you have?
● What is your organizations API Management strategy?○ Does it have the necessary scale and redundancy?○ Is it holistic across the entire organization○ How does it impact the flexibility of your APIs?
● Security Review○ Are your APIs protected from web application attacks?○ Do you protect against API DDoS attacks with required granularity?○ Do your mobile APIs require protection from direct access?○ How do you protect against parameter miss-use?
![Page 35: Your APIs Maximize and Security - Akamai · How Akamai API Gateway Adds Resiliency Akamai API Gateway scales API Management functions the same way the platform scales everything else](https://reader030.fdocuments.us/reader030/viewer/2022040608/5ec7fe62bc624a198535eda1/html5/thumbnails/35.jpg)