Cyber security has changed a lot over the past few years, creating a gap between what we used to know and protect our data from, and what the current challenges and threats are. At our webinar titled ‘Implementing your APIs with zero trust’, Kiet Yap and Gregory McCreanor from MuleSoft, alongside Sreekanth Cherukuri from WHISHWORKS, discussed how we can apply a zero trust model with Anypoint Platform. In this blog we go over the most important highlights from the webinar.
If we look a few years back, before the widespread adoption of API-led integration, organisations were mainly focusing on building applications to serve internal users and requirements. Access to the various systems and data followed a standard path (extranet -> DMZ -> Intranet) and, in this context, the use of firewalls or gateways with different levels of sensitivity combined with identity and access management, was seemingly sufficient to protect their assets.
More recently however, with digital transformation becoming paramount across industries, companies started leveraging APIs to open up their business capabilities and expose information and functionalities so they can better collaborate with customers and partners, creating what we call an API ecosystem. Now users are no longer only internal. They can be anywhere and requests to our APIs come from both internal and external users. As we expose our APIs to serve multiple audiences and processes, the traditional gateway approach to security is neither efficient nor effective. This is where zero trust comes into play.
The zero trust paradigm
Under the zero trust model, we start with the premise that we do not trust any request -whether internal or external. Consequently, we need to protect every single endpoint that we expose, and apply the right security model directly to the API in accordance with the context in which it’s being used. So how do we move from the traditional security model where we place a layer of protection across our assets, to the zero trust paradigm?
The concept of Internet/DMZ/Intranet and Identity and Access Management, while still necessary, is not sufficient. We therefore need to redefine the role of the infrastructure, the application and the data:
- The infrastructure (firewall, network segment etc) is still needed to filter out invalid requests and brute-force attacks.
- It is at the application or API level where we validate the requests and we can use various authentication methods to do that, like user authentication, authorization token or key etc.
- With respect to the data, the aim is to expose only the data appropriate for the access rights of the user and this can be achieved using masking, encryption, tokenisation and other techniques.
Zero trust and Anypoint Platform
In the API-led connectivity space, applying zero trust is about how we contextually build our APIs and accompanying microservices. In MuleSoft, the context is captured by the layered design pattern which involves three categories of APIs: system, process and experience.
The role of the system APIs is to open up our back-end systems to expose the different data we have. This means our focus will be mainly about rate limiting or data encryption, but not authentication or authorisation because system APIs are called by process APIs and experience APIs.
The process APIs seat at the intersection of the system APIs and their role is to manipulate data, potentially handling a lot of mission critical or sensitive information. This is where we can apply security measures involving authentication, authorization, encryption and tokenisation.
Our public interface is at the experience API level, and this is where we’ll need to apply additional security processes like two-factor authentication and JWT depending on how these APIs are accessed.
This layered approach of API-led connectivity is important for a business agility perspective, but also for security. A key point made during the webinar was that with Anypoint Platform, we don’t have to hand-write code for each API. The security enforcement point is already embedded into each API so we don’t need to put extra effort to implement the right security model into each API. And because the APIs are categorised based on their context (system, process, experience), we can apply our security measures in a more targeted and effective way.
Zero trust requires from IT professionals to change the way they think about security. The new digital landscape is all about sharing data and functionality, and although the benefits are many, there are also increased risks with a lot of cyber-attacks coming from extremely valid networks and users.
Other useful links: