API Connect

 View Only

How to set robust API security with IBM API Connect and Noname Integration

By Alessandra Iampieri posted 2 days ago

  

Introduction

The strong attention to API security can be attributed to several factors:

  • Increased Reliance on APIs: there has been a significant rise in the use of APIs across industries. As organizations increasingly rely on APIs to power their digital initiatives, the security of these interfaces becomes paramount.
  • Expansion of Digital Ecosystems: cloud services, mobile apps, IoT devices, and third-party integrations has expanded the attack surface for cyber threats. APIs serve to connect these disparate components, making them a prime target for malicious actors seeking to exploit vulnerabilities.
  • Data Privacy Concerns: With the growing emphasis on data privacy and regulatory compliance (such as GDPR, CCPA, and others), organizations are under pressure to safeguard sensitive data exchanged through APIs. Any security breach or data leak involving APIs can have severe legal, financial, and reputational consequences for businesses.
  • Sophisticated Cyber Threats: Cyber criminals are continuously evolving their tactics and techniques to bypass traditional security measures. As a result, organizations must adopt robust API security measures to defend against a wide range of threats.
  • Supply Chain Risks: Many organizations rely on third-party APIs and integrations to enhance their products and services. However, this introduces supply chain risks, as vulnerabilities in third-party APIs can potentially compromise the security of the entire ecosystem.
  • Regulatory Requirements: Regulatory bodies are increasingly recognizing the importance of API security in safeguarding consumer data and privacy. Regulatory frameworks such as PSD2 (Payment Services Directive 2) mandate strong security measures for APIs in the financial sector, while other regulations impose similar requirements across different industries.

As organizations continue to embrace digital transformation, securing APIs will remain a top priority to mitigate risks and ensure the integrity and confidentiality of data exchanges.

Background

IBM's partnership with Noname in API security offers several key differentiators:

  • Comprehensive Security Solutions: IBM combines its extensive experience in cybersecurity with Noname's API security technology to provide comprehensive solutions. This means customers benefit from a holistic approach to security that addresses various aspects of API protection.
  • Scalability and Flexibility: IBM's solutions are designed to scale according to the needs of the business, whether they are a small startup or a large enterprise.
  • Integration Capabilities: IBM's platforms are known for their integration capabilities, allowing customers to seamlessly incorporate API security measures into their existing infrastructure and workflows with no disruptions.
  • Advanced Threat Intelligence: Leveraging IBM Data Power inside IBM API Connect intelligence capabilities, the partnership with Noname enables proactive identification and mitigation of potential API security threats, helping organizations preventing emerging threats and protect systems and data effectively.
  • Compliance and Governance: thanks to IBM-Noname partnership, IBM offers customers peace of mind knowing that their API security measures align with relevant compliance requirements.
  • Continued Innovation: Both IBM and Noname are committed to innovation. Through this partnership, customers can expect ongoing updates and improvements to their API security solutions.

In this article we will describe how IBM API Connect and Noname can work together to leverage on the benefits described below for you Enterprise Security.

Configuration

Prerequisites for the implementation of this solution are:

·        IBM API Connect installed + admin access

·        Noname installed + admin access

IBM API Connect

For the implementation of the solution that will be described below, you will need to have at least an API published in API Connect and a consistent workload generate on it/them.

Please follow the steps below for a minimum configuration.

Publish your API in IBM API Connect

o   Publish your API in an API Catalog

o   Create a Consumer Organization

o   Create an Application to you API, save API Key and API Secret that you will use to test you API in API Test Automation APIs

o   If you need more help publishing an API, pls go to IBM documentation

Generate workload

o   Generate workload testing your API, for example, using in API Manager the feature “Test APIs”.

Solution Overview

Solution consists of integrating IBM API Connect, comprehensive API management solution designed to streamline the process of creating, managing, securing, and analyzing APIs with Noname Security by Source and Prevention integrations.

Source integration This integration uses Analytics Offload to collect API traffic from IBM API Connect to send to Noname. Configure Noname platform to be ready to receive the traffic from IBM API Connect

  • The documentation can be found here, follow step 1 and 2 in Noname environment.
  • Step 3 is performed within IBM API Connect. It can be done via CLI (described in docs), time efficient way is to do it via GUI:
    • Display the list of your instances
    • Edit API management instance 

    • Switch to the yaml view and add section to the spec section:

spec:
allowUpgrade: true
analytics:
    external:
    offload:
        enabled: true
        output: |
        http {
            url => "https://<ENTER_YOUR_NONAME_URL>/engine?structure=ibm-apiconnect"
            http_method => "post"
            codec => "json"
            content_type => "application/json"
            headers => ["x-nn-source-index", "<ENTER_INDEX>", "x-nn-source-key", "<ENTER_SOURCE_KEY>"]
            id => "noname-offload"
        }

    • You can now see the configuration in Noname settings

·        Note that certificates were not considered for this example.

·        After completing all the configuration above, you will be able to see you Noname dashboard populated. In the Inventory tab, you can see an overview of the assets, resources, or entities that are being monitored or managed by the Noname security solution. In API section likely provides a comprehensive view of the APIs (Application Programming Interfaces) within an organization's ecosystem. Here's what you might expect to see in the Inventory > API section:

    • API Endpoints
    • API Versions.
    • API Documentation
    • Security Configuration
    • Usage Metrics
    • Dependencies and Relationships
    • Security Events and Incidents

Prevention Integration Noname Security prevention integration for IBM API Connect creates a catalog-scoped User Defined Policy (UDP) that periodically calls Noname to get a list of identifiers to block. The policy periodically fetches blocking rules from Noname and stores them in a cache. The default update interval is currently two minutes. Every user API request is validated against the current blocking rules. You will download UDP policy from Noname and then upload them in IBM API Connect. Depending of your strategy, needs and implementation, you will able to

·        Upload them as user defined policy (UDP) under any relevant IBM API Connect Catalog and apply them in the assembly of any relevant API that you want to be secured by Noname UDP. To do that you can follow the step described ad the Noname Documentation

    • The documentation can be found here
    • Complete steps 1 and 2 and 3

·        Upload them as Global Policy directly on you API Gateway in API Connect . You can upload global policies into each of the gateway services in your Catalogs, and then designate, for each gateway service, which global policy should be called before an API assembly is called, after an API assembly is called, or if an error occurs when an API assembly is called. The designated global policies are applied to all the APIs that are deployed to the associated gateway service. IBM Documentation

    • In case of global policy, you can execute following commands with downloaded yaml file from Noname:
  # Fill in the mgmt_endpoint_url, open in browser, fill in the username and pwd, copy ApiKey to terminal
  apic login --sso -s mgmt_endpoint_url --context provider
 
  # get realm
  apic identity-providers:list --scope provider --server mgmt_endpoint_url --fields title,realm
 
  # Upload global policy to API Connect
  apic global-policies:create --catalog catalog_name --configured-gateway-service gateway_service_name --org organization_name --server mgmt_endpoint_url --scope scope [--space space] filename
 
  # Note the URL
  apic global-policies:get --catalog catalog_name --configured-gateway-service gateway_service_name --org organization_name --server mgmt_endpoint_url --scope scope [--space space] policy_name:policy_version --fields url
 
  # Edit yaml, replace with url 
  global_policy_url: >-
  https://server_host_name/api/catalogs/catalog_id/configured-gateway-services/gateway_service_id/global-policies/policy_id
 
  # Set as pre-request global policy
  apic global-policy-prehooks:create --catalog catalog_name --configured-gateway-service gateway_service_name --org organization_name --server mgmt_endpoint_url --scope scope [--space space] GlobalPolicy.yaml

·        After completing all the steps above, you can now see the result in Noname settings 

·        Save the changes and within minutes you can try to call your APIs managed in IBM API Connect, the traffic will appear in Noname.

Authors:

Tomas Machan

Technology Engineering, IBM Client Engineering

tomas.machan@ibm.com

Alessandra Iampieri

Technical Specialist, IBM Automation

alessandra_iampieri@it.ibm.com

0 comments
1 view

Permalink