Automatically Secure and Manage Any API at Scale
Protect any API—anywhere—the moment it's deployed. Join us to learn how you can automate API management as part of your CI/CD pipeline with MuleSoft’s Anypoint Flex Gateway and hear about a real use case of Flex Gateway and Governance.
Meet the Speakers:
• Brian Statkevicus, MuleSoft Practice Manager at Big Compass
• Sue Saio, Technical Product Marketing Manager at Salesforce
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Denver MuleSoft Meetup: TDX Talk - Automatically Secure and Manage any API at Scale
1. Automatically Secure and
Manage any API at Scale
Brian Statkevicus
MuleSoft Practice Manager, Big Compass
brian.statkevicus@bigcompass.com
Sue Siao
Technical Product Marketing Manager, Salesforce
sue.siao@salesforce.com
2. Forward Looking Statements
Updated: September 28, 2022
This presentation contains forward-looking statements about, among other things, trend analyses and future events, future financial performance, anticipated growth, industry prospects, environmental, social
and governance goals, and the anticipated benefits of acquired companies. The achievement or success of the matters covered by such forward-looking statements involves risks, uncertainties and
assumptions. If any such risks or uncertainties materialize or if any of the assumptions prove incorrect, Salesforce’s results could differ materially from the results expressed or implied by these forward-
looking statements. The risks and uncertainties referred to above include those factors discussed in Salesforce’s reports filed from time to time with the Securities and Exchange Commission, including, but
not limited to: impact of, and actions we may take in response to, the COVID-19 pandemic, related public health measures and resulting economic downturn and market volatility; our ability to maintain
security levels and service performance meeting the expectations of our customers, and the resources and costs required to avoid unanticipated downtime and prevent, detect and remediate performance
degradation and security breaches; the expenses associated with our data centers and third-party infrastructure providers; our ability to secure additional data center capacity; our reliance on third-party
hardware, software and platform providers; the effect of evolving domestic and foreign government regulations, including those related to the provision of services on the Internet, those related to accessing
the Internet, and those addressing data privacy, cross-border data transfers and import and export controls; current and potential litigation involving us or our industry, including litigation involving acquired
entities such as Tableau Software, Inc. and Slack Technologies, Inc., and the resolution or settlement thereof; regulatory developments and regulatory investigations involving us or affecting our industry; our
ability to successfully introduce new services and product features, including any efforts to expand our services; the success of our strategy of acquiring or making investments in complementary businesses,
joint ventures, services, technologies and intellectual property rights; our ability to complete, on a timely basis or at all, announced transactions; our ability to realize the benefits from acquisitions, strategic
partnerships, joint ventures and investments, including our July 2021 acquisition of Slack Technologies, Inc., and successfully integrate acquired businesses and technologies; our ability to compete in the
markets in which we participate; the success of our business strategy and our plan to build our business, including our strategy to be a leading provider of enterprise cloud computing applications and
platforms; our ability to execute our business plans; our ability to continue to grow unearned revenue and remaining performance obligation; the pace of change and innovation in enterprise cloud computing
services; the seasonal nature of our sales cycles; our ability to limit customer attrition and costs related to those efforts; the success of our international expansion strategy; the demands on our personnel and
infrastructure resulting from significant growth in our customer base and operations, including as a result of acquisitions; our ability to preserve our workplace culture, including as a result of our decisions
regarding our current and future office environments or work-from-home policies; our dependency on the development and maintenance of the infrastructure of the Internet; our real estate and office facilities
strategy and related costs and uncertainties; fluctuations in, and our ability to predict, our operating results and cash flows; the variability in our results arising from the accounting for term license revenue
products; the performance and fair value of our investments in complementary businesses through our strategic investment portfolio; the impact of future gains or losses from our strategic investment portfolio,
including gains or losses from overall market conditions that may affect the publicly traded companies within our strategic investment portfolio; our ability to protect our intellectual property rights; our ability to
develop our brands; the impact of foreign currency exchange rate and interest rate fluctuations on our results; the valuation of our deferred tax assets and the release of related valuation allowances; the
potential availability of additional tax assets in the future; the impact of new accounting pronouncements and tax laws; uncertainties affecting our ability to estimate our tax rate; uncertainties regarding our tax
obligations in connection with potential jurisdictional transfers of intellectual property, including the tax rate, the timing of the transfer and the value of such transferred intellectual property; uncertainties
regarding the effect of general economic and market conditions; the impact of geopolitical events; uncertainties regarding the impact of expensing stock options and other equity awards; the sufficiency of our
capital resources; the ability to execute our Share Repurchase Program; our ability to comply with our debt covenants and lease obligations; the impact of climate change, natural disasters and actual or
threatened public health emergencies; and our ability to achieve our aspirations, goals and projections related to our environmental, social and governance initiatives.
3. API Management - From Theory to Application
Challenges to
API Management
Automate Gateway
Deployment &
Manage ANY API
Real-life
Implementation
Use Cases
Challenges to
API Management
Automate Gateway
Deployment &
Manage ANY API
Real-life
Implementation
Use Cases
5. Need a new approach to effectively use,
manage and engage with APIs
Event
driven
Micro-
services
SaaS
Integration
B2B/
EDI
API
ecosystems
Limited visibility & access
to existing APIs
Inconsistent enforcement
of security and governance
Complex operations and
troubleshooting
APIs sprawling across fragmented
solutions and environments
6. Universal API management
on Anypoint Platform
Discover, Build and Catalog any API
Ensure consistent API quality and security
Control and secure access to any API
Engage and create API Ecosystems
Govern Manage Engage
Discover
Anypoint Platform
New and existing
product capabilities on
a unified platform
8. Anypoint Flex Gateway
Implement modern architecture with ultrafast,
distributed API gateway to control and secure APIs
Manage
Security team
Deploy to virtually any
environment
High performance on a
small footprint
Secure external and
internal API traffic
Fine grain traffic control
and fault tolerance
Manage using web UI
or CI/CD pipeline
Anypoint Flex Gateway
(Ingress/Egress)
Customers
Payments
Orders
Products
9. Jenkins
Protect and manage your microservices
Automatically Deploy API Gateway
Anypoint Platform
Apply Policies
Manage
API Gateway
Films API
Anypoint Flex Gateway
11. Customer overview
Capacity/Usage
● ~200 prod vCores and 320 non-prod vCores
Business challenges
● Need to control access to 3rd party APIs in
order to keep Mule and other apps compliant
with state security requirements
● Code review requires senior resources that
are stretched thin
Western US state government client with centralized IT team that
administers Anypoint Platform (CloudHub and RTF) and numerous state
agencies to serve
Solution
UAPIM:
Flex Gateway and API
Governance
12. Amazon Elastic Container Service
Current Architecture
Anypoint Flex Gateway at the customer
Anypoint Platform
Manage APIs
View
Flex Gateway
Anypoint Flex
Gateway
Amazon Elastic Container Registry
Customized
Anypoint Flex Gateway
Docker Image
14. API Governance at the customer
Phase 1 Phase 2 Phase 3
● Existing APIs are
updated as necessary
● New APIs must conform
with HTTPs and
OWASP rulesets
● No CI/CD enforcement
● Introduce custom ruleset
with customer’s best
practices
● CI/CD enforcement
● The customer is using the following Rulesets:
○ HTTPs Enforcement
○ OWASP API Security Top 10
○ Anypoint API Best Practices too much noise. To be replaced with a custom ruleset with
customer’s best practices.
16. Key Learnings
Need to add
RAML/OpenAPI definition
to ‘govern’ API
Documentation could be
more thorough
Still a few ‘odd’
experiences with the UX
17. Next steps for
this customer
Configure their firewall to
forward logs to Splunk
Enable TLS
Enable Business Groups
18. Key Takeaways
1. API sprawl is the reality
Control and manage any API with Anypoint Flex Gateway
1. Code reviews are necessary for security
Automate governance checks with Anypoint API Governance
What to look out for later this year:
Anypoint Flex Gateway
Policy Development Kit
Anypoint API Governance
Govern policies and managed APIs
19. Let’s Continue our Connection
Where do we go from here?
Check out Big Compass blogs
and case studies
on MuleSoft
Try out
Anypoint Flex Gateway
through tutorials
Gain Insights
Learn more
Let’s meet again!
Join us at World Tour NYC
on May 4th!
In person or Salesforce+
Hello everyone, thank you for joining us today. I’m Sue and Brian and I will be talking about how you can automatically secure and manage any API at scale.
Before we start, just as a reminder, you should base your purchasing decisions on products and services that are currently available.
Today, we will discuss the challenges to API Management, talk of how you could automate the process, and Brian will share with us a real life use case on now a customer is utilizing Anypoint Platform. So, let’s get started.
who here uses or interacts with APIs every day?
As developers, admins, or IT professionals, you are interacting with APIs on daily, if not hourly basis. After all, APIs are building blocks that allow your organization to connect data to support application development and innovation.
But, as API use increases, it also sprawls across fragmented solutions and environments and this leads to problems such as:
Limited visibility and usability
Inconsistent security & governance enforcement
Hard to operate & manage
And all of these ultimately leads to difficulty in managing your APIs to ensure that the data is secure and available to only those who should have access to it.
We understand that it’s not practical to have just ONE environment where you deploy your applications. Depending on what you are building, where and how it’s deployed can vary. So in a way, API sprawl in a way is a necessity for growth.
But that doesn’t mean that you should just leave it free for all. That’s why MuleSoft is offering Universal API Management. Universal API management on Anypoint Platform is a collection of new and existing products that provide a single control plane so you can Discover, Govern, Manage, and Engage ANY API that are built and deployed anywhere. This enables developers to build their applications wherever and however they prefer but you can still control the who and the how of API access.
Alright, so let’s now discuss how you can automatically manage any API.
Let’s talk about the product – MuleSoft provides Anypoint Flex Gateway so that you can protect ANY API running ANYwhere.
You can deploy to virtually any environment, have flexibility to manage APIs at the Ingress as well within your microservices. All this while giving you rich fine-grained traffic control and API protection capabilities.
And lastly, you can also chose to manage API in a web-based control plane, OR locally through declarative files.
Here is an example we will look at for how you can deploy flex gateway. I have a films api that I have deployed in a docker container & let’s see how we can manage and protect it.
Ultrafast response times with small footprint
Manage and secure APIs in minutes
Deploy to virtually any target environment
Manage using Anypoint Platform or with declarative configuration via CI/CD pipelines
Pay only for what you use
This is an example of managing a non-Mule API. The customer endpoint is obfuscated, but that’s the endpoint the consumers will use. This points to: https://jsonplaceholder.typicode.com/users
The challenge with Anypoint Best Practices ruleset is it has >20 violations and >30 warnings.
We’d love to continue building our connection with you.
We’ll be over by (explicitly explain where you’ll be) for the next 10 min to answer questions and get to know each other.
This session was a sampling of how MuleSoft automate anything to empower everyone. I invite you to:
visit booth xxxx, located in xxxx to watch our demos [or]
attend xxxx session, at xxx am/pm, in room xxxx located in xxxx
And finally, visit us online at MuleSoft.com to view our webinars and hear other customer stories.
Use this link to create your own QR code