Are you currently experiencing an attack?

Are you currently experiencing an attack?

API Security in the Cloud

API security can be defined as the ability of your infrastructure to withstand threats and attacks directed toward your API endpoints. This includes the typical REST API but also GraphQL, MQTT, SOAP, and other API models.

The cloud is an increasingly popular choice for hosting API servers. The most popular CSPs (Cloud Service Providers) are Amazon Web Services, Microsoft Azure, and Google Cloud, with a combined global market share of some 64% of the cloud service market.

All three of the top-tier CSPs offer services for API security. In this article, we’ll examine their individual capabilities, strengths, and weaknesses. We’ll conclude with a discussion of how to mitigate the weaknesses that they all share.

Why API Security Is Important

Robust API security is critical to ensuring data security. Your users’ data must be protected from theft, corruption, unauthorized alteration, and other malicious operations.

Organizations also need strong API security to ensure a properly running service and positive user experience for their apps, websites, or other products. Intellectual property protection, breach prevention, and ransomware and malware protection are other important factors.

What Are the Most Common Vulnerabilities?

There are many vulnerabilities that a proper API security tool will help prevent. Some of the most common include: 

  • Code and query injection (SQL, NoSQL, command injection, etc.)
  • DDoS attack
  • Unauthorized access via broken/bad user authentication
  • Security misconfiguration

Why Conventional Techniques Don’t Apply

Conventional security solutions for sites and web applications often verify the user’s browser environment, or interact with users directly, in order to filter out bots and unwanted traffic. Examples of this include CAPTCHA tests, which ask the user to input a series of characters or to identify an object from a series of images. 

These techniques cannot be applied to backend APIs. So to address this issue, all three major cloud service providers have developed services to increase the security of your APIs.

Essentially, these services provide a WAF for API endpoints instead of web applications. However, as we will see, there are some additional features for the specialized requirements of API traffic.

API Security Solution: AWS

Per most metrics, AWS is the largest cloud provider and hosts many of the websites you may visit every day, including Netflix and Reddit. 

Services and Tools Offered

AWS offers tools for API security under AWS API Gateway:

  • AWS WAF is a web application firewall to help protect web applications and APIs and is configurable with a set of rules.
  • AWS throttling: a rate limiting tool that sets quotas and throttling for your API to protect it from being overwhelmed.

Plus, there’s AWS Shield, which provides DDoS protection.

API Security Capabilities

AWS WAF can protect you against common attacks such as SQL injection and cross-site scripting (XSS).

It also allows you to block specific HTTP request patterns. For instance, you can set rules depending on the HTTP header parameters (e.g., user-agent), method (e.g., POST), the query string, and even the request body. Such rules will look for a specific string or a regular expression in the selected HTTP request and block the request if required.

AWS WAF can block specific IP addresses, a range of addresses, or requests from a particular region. It additionally safeguards you against bots and content scrapers.

With API Gateway throttling, you can limit the response for requests sent by a given client. This is configurable depending on your use case: overall limit, per-account limit, per-API limit, and per-client limit. All of the limits are set by region.

Finally, as mentioned above, AWS Shield provides a detection and protection service for DDoS attacks.

Approach to Solving API Security

AWS’ overall approach is to set rules and limits on requests. This is done mainly through the web application firewall and the throttling in AWS API Gateway. 

Policies Management

AWS works with AWS WAF policies and AWS Shield Advanced policies, which both let you specify rule groups across your resources.

Pros & Cons

Pros:

  • Protects against mainstream attacks
  • Easy to set up
  • Uses a fairly straightforward rules system

Cons:

  • No dynamic adaptation
  • Limited customization

Pricing Structure

At the time of this writing, the price structure for AWS WAF is based on three factors:

  • Number of web access control lists (ACLs), $5.00 each per month
  • Number of rules per ACL, $1.00 per month
  • Number of requests, $0.60 per 1 million requests

AWS Shield is free for the Standard tier and $3,000 per month for Advanced (plus data transfer fees).

API Security Solution: Azure

Microsoft Azure is a popular choice among corporate clients and large enterprises.

Services and Tools Offered

Many of Azure’s offerings for API security are under the platform-as-a-service Application Gateway, including the most important tool: Azure WAF.

Other features to protect your API fall under API Management, which can be described as a single location to manage all of your APIs. 

API Security Capabilities

Application Gateway offers a WAF to protect your API. It protects against some common threats such as SQL injection, command injection, and XSS attacks.

It also provides bot and web crawler detection, as well as HTTP protocol violations and anomaly detection. The latter can take many forms, for example, HTTP request smuggling or HTTP response splitting.

The Azure Web Application Firewall (WAF) offers DDoS protection and handles routing in order to control whether or not your API is exposed to the public internet depending on consumer type.

With API Management, you can also set restrictions to limit the number of API calls, restrict caller IPs, set quotas per user, enforce values in HTTP header, etc.

Approach to Solving API Security

Similar to AWS, Azure’s approach focuses on setting rules and limits on usage and filtering user requests. This is done primarily through the web application firewall and the throttling in API Management. 

Policies Management

For Azure Web Application Firewall (WAF), Azure offers a policy management system that lets you define policy globally, per site, and per URI. 

For Azure API Management, Azure offers policy configuration to set limits on your API call rate, restrict IPs, check HTTP headers, etc.

Pros & Cons

Pros:

  • Easy to set up
  • Protects against mainstream attacks

Cons:

  • No dynamic adaptation
  • Limited customization

Pricing Structure

Application Gateway bills per hour of usage, with the WAF priced at $0.443 per hour of usage.

API Management’s pricing structure is per million calls and depends on the type of plan. Further details and a pricing calculator is available here.

API Security Solution: GCP

Google Cloud Platform, known as GCP, is currently the third-largest player in the cloud space.

Services and Tools Offered

The first service offered by GCP to protect your API is Cloud Armor, which is essentially a GCP WAF.

GCP additionally offers API Gateway and Apigee API Management to manage cloud APIs; the latter includes security tooling for API security.

API Security Capabilities

To protect an API, Cloud Armor offers the following features:

  • DDoS protection
  • WAF to protect against SQL injection, cross-site scripting, remote code execution, and more
  • Rate limiting
  • IP-based and geo-based control

Apigee is involved in controlling access to the API; it provides OAuth 2.0 authentication and API key management. Note that Cloud Armor also offers bot management, but this relies upon Google’s reCAPTCHA service, which as noted above is not applicable to API traffic.

Approach to Solving API Security

Similar to AWS and Azure, GCP’s approach focuses on setting rules and limits on usage and filtering user requests. 

Policies Management

Apigee offers role-based access control (RBAC) to manage your cloud API-related permissions.

Pros & Cons

Pros:

  • Comes with some pre-configured WAF rules
  • Protects against mainstream attacks
  • Adaptive protection

Cons:

  • Non-intuitive documentation

Pricing Structure

For the Standard tier, Cloud Armor is priced at $0.75 per million of WAF requests. Other fees include $5 per policy and $1 per rule, both per month. The Plus tier includes unlimited WAF requests but costs about $3,000 for up to 100 protected resources.

GCP’s Apigee is priced depending on the selected plan—Evaluation, Standard, Enterprise, or Enterprise Plus. 

API Tools from the ‘Big Three’: How to Mitigate Their Common Weaknesses

Many companies, from startups to large enterprises, host their services on one of the Big 3 cloud platforms: AWS, Azure, or GCP. All three offer in-house solutions for API security and are a good starting point to protect your API with features like WAF, DDoS attack protection, and API call throttling. 

Unfortunately, traditional solutions are simply not enough in today’s environment. As an organization’s API grows and changes, so does its attack surface. Hackers, meanwhile, are continuously coming up with ingenious ways to find new vulnerabilities and access your data. Even the big cloud providers are unable to handle more subtle forms of API abuse. 

To ensure full protection of your API, Reblaze offers robust API security. You can leverage features like dynamic and adaptive network traffic recognition, reverse-engineering prevention, a client-side SDK, and automated protection via API schema validation and enforcement. Plus, it offers a fully customizable API to control Reblaze’s settings. 

To see how Reblaze can protect your API endpoints, schedule a demo.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.