Digital transformation is affecting more and more industries and accelerating the evolution of web technologies. Former showcase projects become legacy systems within just a few years. This development affects IT security solutions too. The trend clearly points towards a convergence of application security, API protection and access management.
Web application firewalls must adapt responsively
Only ten years ago, we had to painstakingly convince our customers of the concept of a Web Application Firewall (WAF), and explain how these differ from conventional network firewalls. Today, the WAF market is global, worth billions of dollars and highly competitive. But there are already signs of impending rejection. The traditional HTML Web applications, for which WAFs are designed, are increasingly being replaced by modern single-page applications (SPA). SPAs consist of a Javascript application that runs in the browser and simultaneously accesses several APIs in the back end. These APIs are mostly REST based and use JSON as the transport format. Protecting these APIs requires new technologies, as the basic interaction paradigm between client and server has changed.
By 2021, 65% of new applications will be built as a mesh of multichannel apps and multigrained back-end services that communicate via APIs.
[1] Critical Capabilities for Full Life Cycle API Management, Gartner, 2018
API security is also web security
Traditional API gateways are, however, only partially suitable for securing the new type of web applications. These are mostly designed for SOAP web services, which are used primarily in machine-to-machine communication, require enterprise service buses and are trapped in the straitjacket of highly complex standards. This does not fit with the brave new world of REST, which is characterised by agility and lightness.
Far more relevant, however, is the fact that modern APIs are used by very different clients: traditional web applications, browser-based SPAs, native and hybrid smartphone apps, ‘things’ or even other APIs. Since an internal API can also be addressed by web clients, the API Gateway suddenly has requirements that are similar to those of a WAF. IT security issues such as cross-site scripting or injection attacks thus become relevant on all channels. Unfortunately, many API Gateways have never heard of the OWASP Top 10 and Content Filtering.
APIs need access management
Of course, content filtering is very important for protecting APIs. However, the most important reason for using API gateways is access control [1]. Access to APIs must be secured using standards such as OAuth 2.0, OpenID Connect and SAML. This includes not only the technical authorisation of "clients", for example an app, but also user authentication in particular. This, in turn, requires integration with Web Single Sign-on and Identity and Access Management (IAM).
IAM and the customers
The identities discussed here are very heterogeneous and include a variety of "external" identities, such as those of customers or partners. Unlike workforce IAM systems, so-called customer IAM (cIAM) systems are better designed to manage such external users. cIAM systems provide easy scalability with large user numbers, and a seamless user experience through optimised and integrated onboarding and self-service UIs. The handling of social identities (BYOI) and high levels of flexibility in the authentication process (adaptive authentication) are crucial here.
Airlock SAH - More than the sum of its parts
Well, where does all this lead to? WAFs need to protect APIs, API gateways need to learn web security, APIs need access control, and the users encountered are difficult to manage using conventional enterprise IAM systems. In addition, we all know the disadvantages of "Spot Solutions", which do not look beyond their own horizons and leave open a great many gaps at the transition points.
The Airlock Secure Access Hub integrates these requirements into a coordinated and coherent solution consisting of a WAF, an API gateway, and a customer IAM system. Many security experts are now convinced that this is the right and future-oriented architecture for sustainable IT security.
Learn more about the Secure Acces Hub
Inflexible organisational structures – an unexpected obstacle
However, another (at first glance rather unexpected) problem is less technical, but rather organisational. How do you buy a secure access hub within which diverse technologies can converge as a whole? Nowadays, the responsibility for these topics usually lies in different departments, such as the IT infrastructure, network operation, CISO, user administration or even marketing. The benefits of an integrated approach, such as lower total cost of ownership and faster times to market are, in turn, felt by the business, which is not usually involved in IT security procurement.
However, we actually already knew that: Digitisation not only changes technologies, but also encompasses business processes and dismantles inflexible organisational structures. Greater flexibility, collaboration and agility are needed. Ultimately, therefore, the ball is in your court. Is your company ready for the integrated IT security of the future?
Blognews directly to your inbox
The Airlock Newsletter informs you continuously about new blog articles.
Comments 0