In today’s enterprise systems, APIs have become the main channel for business transactions, which may be insufficiently secure. The security of even simple API requests is threatened by use in different environments – local, cloud or hybrid access. Fragmentation in terms of access becomes a problem for many APIs working with sensitive data.
The best solution to this problem is to use an API gateway. In its usual form, any gateway is usually placed at the network perimeter and acts as a firewall, streaming anti-virus, anti-bot and IPS, preventing data leaks and providing control over employee access to corporate resources. Although it should be noted that API developers often put functionality and uptime above security.
The API gateway acts as a server, which is the only entry point into the system. It provides an API tailored to each client, but it may have other responsibilities such as authentication, monitoring, load balancing, caching, request generation and management, and handling static responses.
A good example of using an API gateway was demonstrated at Netflix. At first, the company tried to provide a universal API for its streaming services. However, it quickly discovered that it didn’t work properly because of the variety of devices and their unique features. Today, Netflix uses a gateway API that provides an API tailored to each device.
A bad example is Panera Bread. In 2017, it was revealed that a bug in the API caused the company to be guilty of leaking 37 million customer records. The leaked data contained names, birthdates, mailing addresses and the last four digits of credit card numbers. Amusingly, eight months after the bug was discovered, the problem had not been resolved.
The Forum Sentry API security gateway (not to be confused with the Sentry bug monitor) provides “no-code” APIs for integrating legacy and modern systems, connecting cloud and mobile technologies, and securely distributing business applications and services outside the organization.
Forum Sentry supports multiple authentication and authorization methods, including Basic Auth and OAuth 2.0, imports SOAP APIs and converts them to REST. In addition, by securing APIs and applying security policies to these connections, the service can also protect the underlying network.