Digital transformation is affecting more and more industries and accelerating the evolution of web technologies. Former showcase projects become legacy systems within just a few years. This development affects IT security solutions too. The trend clearly points towards a convergence of application security, API protection and access management.

Web application firewalls must adapt responsively

Only ten years ago, we had to painstakingly convince our customers of the concept of a Web Application Firewall (WAF), and explain how these differ from conventional network firewalls. Today, the WAF market is global, worth billions of dollars and highly competitive. But there are already signs of impending rejection. The traditional HTML Web applications, for which WAFs are designed, are increasingly being replaced by modern single-page applications (SPA). SPAs consist of a Javascript application that runs in the browser and simultaneously accesses several APIs in the back end. These APIs are mostly REST based and use JSON as the transport format. Protecting these APIs requires new technologies, as the basic interaction paradigm between client and server has changed.

By 2021, 65% of new applications will be built as a mesh of multichannel apps and multigrained back-end services that communicate via APIs.

[1] Critical Capabilities for Full Life Cycle API Management, Gartner, 2018

API security is also web security

Traditional API gateways are, however, only partially suitable for securing the new type of web applications. These are mostly designed for SOAP web services, which are used primarily in machine-to-machine communication, require enterprise service buses and are trapped in the straitjacket of highly complex standards. This does not fit with the brave new world of REST, which is characterised by agility and lightness.

Far more relevant, however, is the fact that modern APIs are used by very different clients: traditional web applications, browser-based SPAs, native and hybrid smartphone apps, ‘things’ or even other APIs. Since an internal API can also be addressed by web clients, the API Gateway suddenly has requirements that are similar to those of a WAF. IT security issues such as cross-site scripting or injection attacks thus become relevant on all channels. Unfortunately, many API Gateways have never heard of the OWASP Top 10 and Content Filtering.

APIs need access management

Of course, content filtering is very important for protecting APIs. However, the most important reason for using API gateways is access control [1]. Access to APIs must be secured using standards such as OAuth 2.0, OpenID Connect and SAML. This includes not only the technical authorisation of "clients", for example an app, but also user authentication in particular. This, in turn, requires integration with Web Single Sign-on and Identity and Access Management (IAM).

IAM and the customers

The identities discussed here are very heterogeneous and include a variety of "external" identities, such as those of customers or partners. Unlike workforce IAM systems, so-called customer IAM (cIAM) systems are better designed to manage such external users. cIAM systems provide easy scalability with large user numbers, and a seamless user experience through optimised and integrated onboarding and self-service UIs. The handling of social identities (BYOI) and high levels of flexibility in the authentication process (adaptive authentication) are crucial here.

Airlock SAH - More than the sum of its parts

Well, where does all this lead to? WAFs need to protect APIs, API gateways need to learn web security, APIs need access control, and the users encountered are difficult to manage using conventional enterprise IAM systems. In addition, we all know the disadvantages of "Spot Solutions", which do not look beyond their own horizons and leave open a great many gaps at the transition points.

The Airlock Secure Access Hub integrates these requirements into a coordinated and coherent solution consisting of a WAF, an API gateway, and a customer IAM system. Many security experts are now convinced that this is the right and future-oriented architecture for sustainable IT security.

 

Learn more about the Secure Acces Hub

 

Inflexible organisational structures – an unexpected obstacle

However, another (at first glance rather unexpected) problem is less technical, but rather organisational. How do you buy a secure access hub within which diverse technologies can converge as a whole? Nowadays, the responsibility for these topics usually lies in different departments, such as the IT infrastructure, network operation, CISO, user administration or even marketing. The benefits of an integrated approach, such as lower total cost of ownership and faster times to market are, in turn, felt by the business, which is not usually involved in IT security procurement.

However, we actually already knew that: Digitisation not only changes technologies, but also encompasses business processes and dismantles inflexible organisational structures. Greater flexibility, collaboration and agility are needed. Ultimately, therefore, the ball is in your court. Is your company ready for the integrated IT security of the future?

Blognews directly to your inbox

The Airlock Newsletter informs you continuously about new blog articles.

Subscribe blognews

Comments 0

Information for you

-Our whitepapers-

Executive View: KuppingerCole - Airlock Secure Access Hub for applications and APIs

This KuppingerCole Executive View report provides an architectural and functional overview of the Airlock Secure Access Hub, an integrated platform for secure access management - a multicloud-native security tool for web applications, APIs and beyond.

 

Fill out the form now and receive Executive View!

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge