Download to read offline
More Related Content
![[Workshop] API-driven Integration](https://cdn.slidesharecdn.com/ss_thumbnails/workshopapidrivenintegration1-200207075321-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to API_Gateways_&_API_Security-1(API Securities and Gateway).pptx
API_Gateways_&_API_Security-1(API Securities and Gateway).pptx
- 1. API GATEWAYS & APISECURITY Prince J (2313213037012)
- 2. AGENDA API Gateway API Gatewayin Public Cloud Azure API Management AWS API Gateway API Security Request-Based Security Authentication and Authorization PRESENTATION TITLE 2
- 3.
- 4. INTRODUCTION An APIgateway is an essential component in modern microservice architectures. It acts as a reverse proxy that routes client requests to appropriate microservices. Key Functions of an API Gateway: • Request Routing: Directs incoming requests to the appropriate service or endpoint based on the request path, method, headers, etc. • Security: Handles authentication and authorization, ensuring that only valid users can access the services. • Load Balancing: Distributes incoming requests across multiple instances of microservices to ensure no single instance is overwhelmed INTRODUCTION 4
- 5. API GATEWAY INPUBLIC CLOUD 5 API GATEWAY IN PUBLIC CLOUD API Gateways in public clouds serve as a reverse proxy to accept all application programming interface (API) calls, aggregate the various services required to fulfill them, and return the appropriate result. They provide a centralized entry point for managing, routing, and securing API traffic. Features: • Traffic management • API composition • Rate limiting and throttling • Request and response transformation • Analytics and monitoring • Security enforcement
- 6. AZURE API MANAGEMENT6 AZURE API MANAGEMENT Azure API Management (APIM) is a fully managed service that enables organizations to publish, secure, transform, maintain, and monitor APIs. Features: • API Gateway: Securely expose services residing within Azure, other clouds, or on-premises. • Developer Portal: Automatically generated, fully customizable website for API documentation and developer onboarding. • Analytics: Gain insights into API usage and performance. • Policies: Implement rules for authentication, authorization, transformation, and caching. • Integration: Seamless integration with Azure services, including Azure Functions, Logic Apps, and Azure DevOps.
- 7. AWS API GATEWAY7 AWS API GATEWAY AWS API Gateway is a managed service that allows developers to create, publish, maintain, monitor, and secure APIs at any scale. Features: • Support for RESTful APIs and WebSocket APIs. • Integration with AWS Lambda for serverless architecture. • Traffic management: Throttling, burst limits, and quotas. • Security: Authentication and authorization via AWS Identity and Access Management (IAM), Amazon Cognito, and Lambda authorizers. • Monitoring: Built-in Amazon CloudWatch integration for metrics and logging. • Caching: Response caching to improve performance.
- 8.
- 9. INTRODUCTION API securityrefers to the practices and strategies employed to protect Application Programming Interfaces (APIs) from unauthorized access, exploitation, and other forms of malicious attacks. It ensures the integrity, confidentiality, and availability of data and services communicated through APIs. This includes measures to authenticate and authorize users, validate inputs, encrypt data, and monitor API usage to detect and respond to potential threats. Effective API security safeguards the interfaces that connect different software applications, systems, and services, thereby preventing data breaches, service disruptions, and other security incidents. INTRODUCTION 9
- 10. REQUEST-BASED SECURITY 10 REQUEST-BASEDSECURITY Request-based security focuses on securing the individual requests made to APIs. This approach ensures that each API request is authenticated and authorized before processing. Components: • Authentication: Verifying the identity of the client making the request. • Authorization: Determining if the authenticated client has permission to access the requested resource. • Data Encryption: Encrypting request and response payloads to protect data in transit. • Rate Limiting and Throttling: Limiting the number of requests a client can make to prevent abuse and ensure fair usage.
- 11. AUTHENTICATION AND AUTHORIZATION11 AUTHENTICATION AND AUTHORIZATION • Authentication • Authorization
- 12. AUTHENTICATION 12 AUTHENTICATION Definition: Theprocess of verifying the identity of a user or system. Methods: • Basic Authentication: Involves sending a username and password with each API request. Simple but not recommended due to security risks. • Token-Based Authentication: Using tokens such as JSON Web Tokens (JWT) or OAuth tokens to authenticate requests. Tokens are generated upon successful login and used for subsequent requests. • API Keys: Simple tokens that identify the calling project, useful for identifying the source of traffic.
- 13. AUTHORIZATION 13 AUTHORIZATION Definition: Theprocess of determining if an authenticated user or system has permission to access a specific resource or perform a specific action. Methods: • Role-Based Access Control (RBAC): Permissions are assigned to roles, and users are assigned to these roles, simplifying management. • Attribute-Based Access Control (ABAC): Access decisions are based on attributes such as user role, resource type, and environment. • Policy-Based Access Control (PBAC): Uses policies to define and enforce access rules.
- 14. CONCLUSION •API Gateways: • Essentialfor managing and securing API traffic in public clouds. • Azure API Management and AWS API Gateway offer robust features for API lifecycle management, security, and integration. •API Security: • Crucial for protecting APIs and ensuring secure communication. • Effective security involves both request-based security and comprehensive authentication and authorization methods. •Key Takeaways: • Implementing API gateways improves API performance, scalability, and security. • Adopting strong authentication and authorization practices is vital for safeguarding API access and data. CONCLUSION 14
- 15.