The document discusses best practices for deploying API gateways. It begins by describing four types of API gateways - IAM gateways, API IAM gateways, API management gateways, and API security gateways. It then covers considerations for deploying API gateways such as location/form factor, use cases, policy configuration, security reviews, and practices for API security. The document emphasizes choosing the right gateway type for needs, securing the infrastructure, and spending time on architecture and policies.

1. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Best Prac*ces in Deploying API
Gateways
API World 2017
Greg DiFruscio
Director of Support
gdifruscio@forumsys.com

2. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Why they are an essential component of a secure, robust and
scalable API infrastructure.
Best practices and common deployment
scenarios of API Gateways.

3. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
TYPES of API GATEWAYS

4. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
#1 API Gateway Basics
Deployed similar to a reverse proxy (protocol
break)
The gateway represents the endpoint API and
appears to the consumer as if it is the applica*on or
service itself
Can be located on-premise or in cloud
Move the security, iden*ty, and management
processing out to the API Gateway *er – let the
APIs focus on the business requirement
While API Gateways expose the APIs, not all API
Gateways truly secure the APIs

5. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
IAM (Iden*ty and Access Management) designed for
Iden*ty and Access Control and centralizing IAM agents
IAM Gateway products support limited API types (i.e.
REST)
Limited support for network protocols (i.e. REST APIs
over HTTP)
Very liUle or no ability to provide informa*on
assurance of the API data
Typically built on insecure plaVorms – soWware only or
unhardened virtual appliance
#2 API IAM Gateways

6. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
More versa*le than IAM Gateways with broader support for API
types and network protocols
Evolved from ESB integra*on plaVorms where integra*on and
payload conversion are core func*ons
Usually developer centric
OWen provide developer portals for API consumers, self
documen*ng APIs
Typically built on open plaVorms designed for flexibility
Inherently suscep*ble to aUack and compromise
#3 API Management Gateways

7. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Security first focus – product form factors and feature sets
Products hardened against cyber aUack – closed systems
Include API Iden*ty features from IAM space
Include API Governance features from API Management space
Include API Security from Cybersecurity space
Support for wide array of API types and network protocols
Focus on content layer security (e.g. schema valida*on,
encryp*on, dsig) in addi*on to TLS
Bi-direc*onal scanning to prevent threats as well as data leakage
#4 API Security Gateways

8. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Which type of API Gateway is right for you?
Is HTTP/S only protocol sufficient?
Are REST API services the only type you will need to support?
Are you concerned about malware and other API exploits
embedded within the payloads?
Do you need to support legacy applica*ons and services?
Are you concerned with data leakage and sensi*ve informa*on
loss?

9. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
DEPLOYING API GATEWAYS

10. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
On-Premise or cloud?
Hardware, virtual, soWware, AMI,
other?
#1 Loca*on and Form Factor
Where are the services?
Where are the clients?
Where are the user iden*ty
repositories?

11. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
API types (e.g. REST, SOAP, XML, Web Portals, etc.)
Network protocols (HTTP/S, SFTP, JMS, SMTP, AMQP 1.0,
mixing)
Iden*ty, access control, and SSO requirements (Iden*ty
Repositories)
API security requirements (TLS, Schema valida*on, AV scanning,
parameter valida*on, method valida*on, etc.)
API integra*on / media*on requirements (JSON to/from XML,
etc.)
Logging requirements
Custom Error handling
#2 Use Case Discussion

12. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Simple is beUer (point and click, no coding necessary)
Error on the side of security
Start basic and add processing layers
Reusing policy objects
Policy naming conven*ons
Propaga*on of policies across environments
Automa*on via APIs
#4 Policy Configura*on and Management

13. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Ask your vendor for a security review of your policies
Check for sensi*ve informa*on in logs
Check for weak ciphers and TLS / SSL protocols
Posi*ve and nega*ve tes*ng
Review errors generated on gateway and errors returned from
applica*ons
Do it before moving into produc*on
Schedule them oWen
#4 Security Review

14. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
BEST PRACTICES IN API SECURITY

15. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Secure OS – the infrastructure is a target
Secure policy / configura*on storage
Protect your private keys
#1 Product Security

16. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
#2 API Security Policy

17. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Aim for agentless approach
Protect iden*ty repositories
Use SSO and Federa*on
#3 API Iden*ty
Mul*-Context authen*ca*on and
authoriza*on
Reduce dependencies on vendor specific
implementa*ons

18. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Rewri*ng URLs – obfuscate your path
Mapping payload formats – for integra*on as well as security
Mapping user aUribute informa*on retrieved from iden*ty call
Querying LDAP, Databases, APIs (t-junc*on processing)
Network protocol media*on (e.g. HTTPS to/from Ac*veMQ)
#4 API Integra*on

19. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Integrate with central SIEM / logging system (e.g. Splunk, ELK,
Graylog, etc.)
Build real *me Dashboards from gateway logs
Leverage big data analy*cs for alerts, trends, reports
#3 API Monitoring

20. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
Choose the right type of API Gateway for your current and future
needs
Decide where the API Gateway(s) will live and what form factors
are correct for your environment
Spend the *me upfront to architect the solu*on and build the
policies in accordance to your plan
Your APIs and your API infrastructure are targets – API Security
means security features as well as secure architecture
Conclusions

21. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
ForumOS™. FIPS 140-2 Level II purpose-built chassis. NIAP NDPP
CerPfied. Patented cryptographic acceleraPon
Fully encapsulated virtualized rendiPon of Hardware system in a
deployable Amazon AMI
Windows, Linux, or Solaris deployable in any compuPng ecosystem
(single-package install with no dependencies)
FORM FACTORS
API Security Gateway
Fully encapsulated virtualized rendiPon of Hardware system in a
deployable OVA VMWare image
Hardware
Virtual
Cloud
SoWware

22. Forum Systems | www.forumsys.com | 888.811.0060 | 75 Second Avenue, Suite 520 Needham, MA 02494
To learn more visit us at
h[p://info.forumsys.com/api_world