Securing the API landscape
Businesses use APIs to connect services and to transfer data. API security is a hot topic among information security professionals. As more applications are built as a collection of microservices, cybercriminals are attacking systems by targeting vulnerable APIs. Broken, exposed, or hacked APIs are behind major data breaches.
API Security – made by TrustBuilder
TrustBuilder customers seeking API security get the best of both worlds: they continue agile development, gain maximum security and maintain seamless customer experience.
API Gateways usually take care of edge security alone. TrustBuilder provides adequate security in complex environments with hundreds of APIs. TrustBuilder addresses security of the APIs on an individual component level, validating identity and access privileges at each hop.
Single entry point
TrustBuilder acts as a single-entry point of security administration and enforcement, invoking multiple back-end servers and aggregates the result in attributes that can be customized and returned to the requester, along with the appropriate authorization.
TrustBuilder acts as a token exchange service, facilitating easy integration with multiple third-party applications. New microservices can be added easily, benefitting from the existing security mechanism. This makes it easy for retail banks or other organizations to develop their own ecosystems.
When offering ecosystems of services, customer experience is paramount. TrustBuilder hides the complexity for end-users. Once a user is authenticated, TrustBuilder captures the user context, thereby granting access to those microservices that the user has privileges to.
API Security on the rise
TrustBuilder delivers the necessary capabilities to build digital ecosystems faster than the competition, thanks to our built-in connections to Service Providers and Identity Providers, our focus on API security and our support for Attribute-based Access Control (ABAC).
From monoliths to microservices
Developers are no longer building large monolithic apps containing millions of lines of code that are deployed as a single unit. Instead, they use microservices: small, independently versioned and scalable services. Using interfaces and standard protocols, they work together to address a complex business goal. APIs (Application Programming Interfaces) are the interface of these services.
Ecosystems need API security
Retail banks and other organizations are busy building ecosystems of services, and promoting applications from business partners. Customers gain access to this integrated offering through APIs. This puts stringent requirements on the protection of these APIs, not only when customers gain access to the service, but also when they are seamlessly switching from one application to the other in this densely populated API landscape.
Acceleration of API attacks
Because they’re often available over public networks (access from anywhere), APIs are typically well documented or easily reverse-engineered and are, thus, attractive targets for bad actors. Hackers and other cybercriminals have definitely discovered APIs as a new hunting ground to obtain customer data. APIs should not be exposed to the outside world unprotected. The ability to control API access is the cornerstone of effective API and microservice security.
Ecosystems protected by TrustBuilder
Several of our customers are currently using our API Security capabilities to help their ecosystems thrive.
HR services market leader SD Worx offers its customers a vast array of applications, both custom SD Worx applications and services offered by third parties. TrustBuilder’s API Security takes care of protecting these applications, applying security levels defined by SD Worx.
A European bank
A large European bank uses TrustBuilder as de facto standard for the authentication of customers when they use its ecosystem of services. The bank applies different levels of authorization for different applications, for instance buying a bus ticket versus making a money transfer.
How to implement API security
Interested in more implementation info?
Check out our long read on the 5 keys to a successful implementation of your IAM.