apidays Helsinki & North 2023
API Ecosystems - Connecting Physical and Digital
June 5 & 6, 2023
API Security in the era of Generative AI
Matt Feigal, Partner Engineering Manager at Google Cloud Sweden
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
4. Generative AI’s Impact to API
Ecosystem
New and Exacerbated
Risks
Patterns for Success
01
02
03
Agenda
00 Hi! (It’s Me)
5. Place Image Here
Generative AI - Empowering Everyone
Generative AI is a powerful tool which will be used by all
personas in the API ecosystem. Service developers, API
Owners, Network Administrators, Product Owners, Data
Analysts, Security Analysts...
Everyone moves ‘up’ the mountain
****EXAMPLES*****
ChatGPT, Google’s Bard, PaLM, LLMs,
Imagen, Midjourney, DALLE-2…
Codey, Copilot, AutoGPT, LangChain
Novice
Guru
01
6. Gen AI Use Cases in the API Ecosystem
Collaborator Operations and Toil Service Replacement GenAI APIs
● Complete Tasks via
Chat, IDE, etc
● Text, Code, Images,
Media, Video, Slides,
APIs, Documentation,
…
● Boilerplate,
Transcoding,
Monitoring,
Observability, …
● Last mile - Replace
Services with Prompt →
Data Model
● New Ecosystem (and
Business Model) with
LLM, Data, and LLM
extensions (langchain)
● AIs calling your APIs?
AIs calling other AIs?
9. Reference Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers
10. Reference Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers
11. Reference Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers
12. Generative AI increases the need for API
Management and API Security. APIs are the
contract for machine-led creation and
consumption.
New and Exacerbated Risks
02
13.
14. API misconfigurations and Bots are identified as potential two of the top three
threats
Source: https://venturebeat.com/2021/07/27/fugue-36-percent-orgs-suffered-serious-cloud-breach-in-last-year/
15. 14
Source: API Economy | Google Cloud
“By 2022, API abuses will be the most
frequent attack vector resulting in
data breaches for enterprise web
applications.”
- Gartner, API Security: Protect your APIs from Attacks and Data Breaches,
Mark O'Neill, Dionisio Zumerle, 2021
170%
Apigee saw over 170% increase in
abusive API traffic last year
API Security Threats are Evolving and Increasing
16. !
84%
of companies saw an increase in the number of
bot attacks over the last year (Jan ‘21)
Bot Attacks
Source: Forrester Consulting - State Of Online Fraud And Bot Management
$24B
Lost to credit card fraud by US businesses
Payments
Fraud
!
$1T
Lost to abandoned checkouts or
rejected transactions
53 days
spent on average fully resolving a bot
attack
! API Abuse
!
Account
Takeover
90%
Increase in 2021 alone
50%
of organizations experienced an API
security incident in the last 12 months
77%
of organizations that experienced an API
security incident delayed a rollout
Web Security Threats are Evolving and Increasing
17. Your APIs need to be secured across all points of interaction
Threat Protection
Behavior Based
Signature Based
Payload Complexity
Spikes
OWASP (SQL injection,
input validation, etc.)
Access Controls
OAuth2
API Keys
Products
Scopes
Quota/Spike Arrest
Logging
Self Service & SSO
IAM Integration
Prov. & DeComm
OpenId Connect
JWT
SAML
Security
Governance
Global Policies
RBAC management
Data Masking
Compliance:
ISO, PCI-DSS, HIPAA,
SOC1&2, CSA STAR
Data Security
TLS
Two-way TLS
IP Access Control
Encrypted Data Store and
Cache
User App Developer API API team Backend
18. New Risks: Meet the Generative AI Family
Good
Competent
Bad
Attacker
Oops
Buggy
19. Reference Cloud Architecture with Gen AI
On-Prem DC
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
External SaaS
Providers
20. Common Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers
21. Common Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers
22. Common Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers
23. Common Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers
24. Common Cloud Architecture with Gen AI
API
Gateway
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
Machine caller
Machine Authored
Machine Operator
Machine as a
microservice
On-Prem DC
External SaaS
Providers
25. Mitigating Risks:
● Paved Path for Developers
● Defense in Depth
● Shield your Generative AI
● Escape Hatches
● Buying Expertise
03 Emerging patterns for success
26. Place Image Here
Paved Path for Developers
● Easy to be compliant and secure
● Single Path through the system
● Idiomatic, Integrated Tools
● Prioritize Developer Velocity (first class
support for ephemeral or test APIs)
27. On-Prem DC
Defense In Depth
Apigee
Microservices
Serverless
Functions
Load
Balancing
Databases, Caches, Other Stores…
WAF
Adv API
Security
SWG
SWG
CAPTCHA
External SaaS
Providers
28. Shield your Generative AI
● Don’t expose your ML API directly!
● Same lessons you’ve learned shielding a
database from direct API calls!
● Incoming: Context engineering Prompt
Engineering
● Outgoing:
○ DLP checks / IP checks
○ Accuracy checks
○ Brand safety checks
29. Place Image Here
Escape Hatches / Fast Responses
● Multi-tier applications have different release
cadences and risk factors.
● Escape Hatches are quick-twitch Policy
Enforcement Points, Filters, and Shields
● API Gateway/Proxy and Service Mesh are
great resources for dealing with the
following scenarios…
30. Specific request that exploits a vulnerability. SQL injection,
parser errors, de/ser bugs, protocol edge cases, etc.
Security Breach - such as returning too much data from one
or more services across a variety of scenarios.
Escape Hatches / Fast Response scenarios
Poison Pill Data Exfiltration
Specific requests or request volume that are targeted at
overloading specific services or backends.
Targeted (D)DoS
Slow, sporadic, or steady requests to problematically extract
data from your APIs
Scraping Bots
31. The Security Space:
Buying Expertise
● Build, vs Buy (or Host)
● Core to your Mission?
● Expertise and Level of Investment
● Cost versus Potential Cost
32. Deny list Traffic Data Models
Dashboard Advanced API Security
Apigee runtime
Enforcement
How
Mitigation
Block or mark the bot traffic
depending on your needs
API Traffic Data
Continuously monitor billions of
API calls to identify anomalies
Machine Learning Models &
Rules
Continuously recognizing bot
patterns and creating new rules
Apigee Advanced API Security
33. Know when API are misconfigured
or experiencing abuse.
Managing API Security Configs
Align API proxies to security standards to avoid misconfigured API proxies
Recommend actions to improve
the security posture
34. Bot & Abuse detection powered by ML
Clustering alerts to reduce volume and provides the relevant context for quick resolution
35. Recap
● GenAI: New Opportunities, New Risks
● Machine-to-Machine APIs
● Integrated APIM is Critical
● Build Escape Hatches and Buy Expertise when appropriate
36. Thank you.
Discussion & Demo at our booth today!
Want to learn more?
cloud.google.com/apigee
Try Apigee for free for 60 days
https://apigee.google.com/welcome
Join our Partner network
feigal@google.com; mattfgl@; mattfeigal@hachyderm.io