How MuleSoft API Security Can Stay Ahead of API Proliferation
Thanks to the adoption of microservices architecture, the productization of APIs, and the rise of the citizen integrator, companies are seeing the benefits of adopting an API-led strategy with MuleSoft.
Even with the golden days of code reuse and data democratization on the horizon, there's a dark cloud that comes along with expanded API use. Without proper API security, your applications create new ways for bad actors to access your systems and your data.
That may sound overly dramatic. In truth, this post can't impress the point enough. With more than 24,000 public APIs available, and many thousands more private ones, improving API security should be at the top of everyone's 2022 resolutions. Gartner predicts that in 2022, APIs will become the most frequent attack vector. Some of the most visible casualties of API breaches have included Experian, Geico, Facebook, Peloton, and Equifax - a breach that exposed more than 147 million accounts.
It can be tempting to adopt a single API security solution in the rush to close the gap. However, this can offer a false sense of security. Instead, it's critical that organizations implement a layered security solution.
Recommendations for MuleSoft API Security
There are several elements to consider when securing your applications, including:
- Network
- API
- Credentials
- Data at rest
Each has unique complexities and purpose, and each should be analyzed and implemented. Each element should also be seen as part of the larger security strategy.
API security is an important pillar to overall application and system protection. Organizations shouldn't view API security as a single entity within the subject itself. Industry best practices recommend layered security for your APIs.
Why? Those of you familiar with American football know what an all-out blitz is - the team on defensive focuses all of their attention on the quarterback for one play. They want to pressure the quarterback to throw the ball without setting up or for receivers to get into place to catch the pass. If the play isn't a pass, the defense wants to rush the exchange of the football from quarterback to running back, force an error, or tackle the ball carrier for a loss of yards.
It can be an effective defensive play, but it's dangerous. If the quarterback should manage to make a good throw and connect with a downfield receiver or a running back can slip past the oncoming defensive players, the blitz advantage is utterly lost and damaging. The offense has the run of the field and can easily achieve a substantial gain or touchdown if they are unchallenged.
That's what a single layer of API security is like. You might stop many attacks, but it only takes one getting through that single layer of defense to potentially cause havoc to your enterprise.
A multi-layer approach, of course, has advantages as well as disadvantages.
Advantages: Every layer of security has a backup, ensuring that flaws and gaps are effectively covered.
Disadvantages: Depending on the components used, it can potentially negatively impact API performance and be costly. There is little to no open-source solutions available for some recommended security layers.
However, securing your APIs is critical, and in truth, every technology solution has its pluses and minuses. It's key to understand each recommended layer's strengths and weaknesses and how they mesh to create an API security plan.
3 Layers of API Security
The most common recommendation is for a 3-layered approach. These layers include an API Gateway, Web Application Firewall (WAF) or Runtime Application Self Protection (RASP), and a Machine Learning (ML)-based security server.
API Gateway: An API Gateway protects against brute force and other simple attacks. An API Gateway allows for very granular policy management, all the way to the resource layer, but can be difficult to use for global protection measures.
MuleSoft's API Manager includes policies that are applied to APIs to implement API Security. Examples of these policies are OAuth 2.0 Token Enforcement, Rate Limiting, Client ID Enforcement, IP Allow and Block lists, JSON and XML threats protections. A full list of the MuleSoft default policies can be found here: https://docs.mulesoft.com/api-manager/2.x/policies-ootb-landing-page.
WAF/RASP: A Web Application Firewall or Runtime Application Self-Protection solution protects against some OWASP "Top 10" attacks. A WAF/RASP covers a more global security overview and protection against threats like SQL injections, Denial of Service, and Cross-Site Scripting (XSS) attacks. If you have a publicly consumed API, you should be using a WAF or RASP as part of your layered security solution.
ML-based security server: This can be used to implement “Zero Trust” security, providing protection by modeling and evaluating API behavior. ML-based API security protects against stolen credentials and tokens, insider threats, and authenticated access issues. Requests and responses are fed into the engine so that the ML can model and determine what normal access and use look like and reject activity that looks like an anomaly.
One last thing to note - none of these solutions will address nor prevent security exploitations made possible by bad coding practices. While outside the scope of this post, multi-layer API security does not replace good code security practices.
Comparing Security for MuleSoft's CloudHub and Runtime Fabric:
Theoretical strategies and best practices are great, but the actual application of these strategies is dependent on your MuleSoft environment.
CloudHub
For CloudHub customers, API Manager can provide your gateway, but you'll need to look elsewhere to cover some of the other layers.
API Gateway: API Manager
WAF/RASP: A software firewall solution isn't part of CloudHub. You'll need to investigate 3rd party options that can work with your implementation.
ML-based Security: Also not part of CloudHub. Solutions such as Ping Identity can act as your ML security solution. As we've done for other customers, integrating Ping Identity or another ML-based security solution can be implemented via a custom policy applied to API Manager.
Runtime Fabric
Like CloudHub, MuleSoft's Runtime Fabric provides an API Gateway solution with API Manager. However, Runtime Fabric customers have other considerations for WAF/RASP.
API Gateway: API Manager
WAF/RASP: MuleSoft's Anypoint Security
ML-based Security: Similar to CloudHub, there is no ML-based security included with RuntimeFabric, but solutions such as Ping Identity can act as your ML security solution. As we've done for other customers, integrating Ping Identity or another ML-based security solution can be implemented via a custom policy applied to API Manager.
Conclusion
If you have an API strategy (whether you're using MuleSoft or not), you must have an API security strategy. Without one, you risk severe and even highly publicized breaches. Without a layered API security approach, though, it’s only a matter of time before a hacker "quarterback" breaks through your defenses by exploiting your weaknesses or gaps. Combining the appropriate layers of security and using what works and is maintainable alongside CloudHub and Runtime Fabric will prevent your organization from becoming a touchdown for bad actors.
With security being a fundamental part of API strategy, Big Compass has worked with numerous clients to create API security strategies that balance protection, cost, and performance. We'd love to help you create a more secure API environment that works with your MuleSoft implementation, whatever that may be. Contact us to get the conversation started.