This post is part of a series on becoming a secure API-first company. For a deeper dive, check out the eBook Leading Digital Transformation: Best Practices for Becoming a Secure API-First Company.
As APIs have become mission-critical, securing them against threats is crucial. APIs are an attractive target for attackers, and a single vulnerability can expose an organization's most sensitive information assets.
To properly secure APIs, we have to move beyond basic perimeter defenses. We’ve previously discussed how important consistent API controls across teams are for developing secure API infrastructure.
In this post, we’ll explore the concept of layered API security, outlining the key layers organizations should have in place. Employing security controls at each of these layers establishes defense in depth against various vectors of attack. We’ll overview common API threats and explain how having the right layered model can help mitigate the risks posed by these threats.
When it comes to API security, the strategies are multi-layered and affect different aspects of the API journey. We can identify at least five layers of security that we need to enforce:
The multi-layered approach to API security.
As the name suggests, layered security refers to the practice of implementing multiple levels of cybersecurity to handle a multitude of potential network attacks.
Think about a company like an onion. At the center is a company’s valuable information and company stability. To get to the center of the onion, the external layers would need to be peeled back one by one. The more layers surrounding the center of the onion, the harder it is to get to. These onion layers represent the multiple levels of cybersecurity. With strong enough layered security in place, a company's information and inner workings are impossible to access.
What sort of threats does a layered security approach help protect against?
A layered API security strategy combines multiple controls at different levels to provide defense in depth against common API threat vectors. Continue on for a deeper dive into each of these.
Now that we have established the solution, we should also go over what specifically we are protecting against. Here is a concise list of all major threats and how they could be protected against using layered security:
These are a handful of the most common API security issues, but attackers are always finding ways to get the information they want. Security best practice is to implement a layered security system preemptively.
The first level of security is known as low-level network security at L3/L4.
This base level is especially important for edge APIs, which are meant to be consumed by third parties outside of the organization. We want to inspect traffic flows using features such as inbound encrypted traffic inspection, stateful inspection, and protocol detection. To achieve this, we can deploy outbound traffic filtering to prevent data loss, help meet compliance requirements, and block known malware communications. The goal is to inspect active traffic flow using features such as stateful inspection, protocol detection, and more. In short, we want to ensure that incoming traffic is legitimate before even thinking about moving to the next layer of security.
While these strategies are required for external API traffic, forward-thinking organizations also implement a tight level of security on this layer for internal traffic to prevent internal malicious actors and bots that could affect the systems. For many leaders in API security, this is perhaps an important distinction to make: we’re protecting ourselves from both external and internal threats. Not implementing the latter creates a vulnerability in the organization since an attacker may be running malicious software internally via other backdoors outside of the API perimeter. But that can now affect the API infrastructure itself. Internal software is not to be trusted, which brings us to the next layer of security.
The second layer of security is implementing the concept of zero-trust — to remove the concept of trust in our applications and services. We can’t trust that the client is who they claim to be, and we similarly can’t trust internal or external clients.
Let’s give a practical example: when traveling to a foreign country, typically we need to carry our passport with us to prove our identity at the border. The passport is a document that validates that we are who we claim to be. Without passports, the immigration agents would have no way of knowing if our identity is legitimate — they would have to take our word for it. How long would it take for malicious actors to exploit this system and start impersonating other people? How many criminals would just walk into our country without any possibility to stop them?
The concept of “trust” is fundamentally exploitable — we can’t rely on it. We need to have a practical way to determine the identity of people, hence we need a passport that removes the concept of trust from our immigration process. We need zero trust.
Our APIs are like borders with no immigration control: anyone and anything can make requests to them and easily spoof the identity of other clients to perform malicious operations. In order to secure our “API borders” we need to implement a zero-trust solution that validates the identity of every client. That passport can be an mTLS certificate issued to each instance of any service and validated upon every request.
Associating TLS identities to our requests allows us to implement zero-trust and tight permission controls. Managing too many TLS certificates is challenging, but service mesh makes it easy.
Implementing a zero-trust architecture across every environment that we use to deploy our applications and microservices could be a complex task. It would involve supporting enforcement across all runtimes and issuing, rotating, and revoking certificates for each service instance — potentially hundreds of thousands or even millions.
Thankfully, implementing a service mesh can help us with this endeavor; the teams can be users of zero-trust and not the builders.
A service mesh allows us to manage the entire certificate lifecycle (issuance, rotation, revocation) in an automated way. During this process, the enforcement is delegated to a sidecar proxy transparently running next to our services.
Kong Mesh extends CNCF’s Kuma and Envoy and allows you to implement an enterprise zero-trust solution across the organization in days instead of years. It handles the whole certificate lifecycle across both containers and legacy VMs, across clouds, and even private data centers.
After we’ve validated the identity of the services consuming our APIs, we need to further identify the user trying to perform the request via AuthN/Z strategies — like validating an API key or integrating with a third-party OpenID Connect provider (OIDC) or OAuth provider to determine both the identity of the user and the permission level (entitlements) that determine what operations the user can do on the API. And we need this level of security across every API that our teams are building. Therefore, it would be a smart idea to centralize how these policies are being enforced rather than decoupling across the board, which creates an incredible security risk.
Kong provides a range of AuthN/Z plugins to seamlessly provide authentication and authorization out of the box to every edge or internal API.
After validating the user, and therefore validating the legitimacy of the incoming request, we may want to still limit the traffic that they’re sending to the API. In a way, this type of control resembles the first layer of security. We may want to implement rate-limiting or throttling strategies that can help us restrict the access to the APIs. Doing this helps to prevent issues like cascading failures if too much traffic is being sent or creating tiers of consumption to our APIs that we can charge for as an additional revenue stream.
Kong provides sophisticated traffic control capabilities both at the L4 mesh layer and at the L7 API gateway layer — and enforces them with performance and low latency to preserve the quality of the end-user experience.
Finally, even when all traffic has been validated through each of the previous security layers, the most sophisticated enterprise organizations will still create API traffic models to determine if the known users are executing any unexpected operation. This may be caused by a known user turning malicious or by malicious actors coming to possess a known user’s credentials.
Ultimately, our API users are also susceptible to attacks, and their credentials may be compromised without us knowing it. To control this issue, we may want to adopt heavy API monitoring and analytics combined with async ML capabilities that create a model of our traffic for each client and user. Again, these types of enforcements are hard to build on a per-team basis and must be provided by the platform team in charge of building the mission-critical (and security-approved) API infrastructure for the organization.
Lastly, our API policies are ultimately configured and set up by employees working for our organization. No layer of security is immune to human misconfiguration of the system — be it accidental or intentionally malicious. Every organization must enforce a policy approval workflow (a standardized approach to API governance) that requires the approval of at least another person in the organization working on a different team.
Policy enforcement also encompasses many layers:
Like the other topics we’ve covered, policy enforcement is also a cross-cutting concern that affects every team in the organization. To make our teams more productive, we should provide them with an out-of-the-box solution that they can start using right away — one that is validated by both the platform and security teams of the organization.
Policy enforcement and control is compliance. As such, it’s mission-critical. It can’t be decomposed into a fragmented solution that the individual teams are responsible for. Otherwise, we would have no visibility (and be showing a lack of corporate responsibility) into assessing the quality and validity of our API infrastructure policies.
We can further limit the margin of error by providing global policies that can’t be changed by the teams and are always applied, like security policies.
An example workflow could be:
Kong provides API controls for policy enforcement and linting throughout Kong Konnect that can be integrated via APIs and GitOps to any existing solution your organization may be adopting.
APIs have become crucial gateways to data and services — and they have a massive economic impact, with APIs projected to contribute $14.2 trillion to the global economy by 2027. The proliferation of APIs demands more advanced, multi-layered security strategies.
Adopting a layered security model is the most effective way to safeguard APIs. It provides overlapping security that protects against common attack vectors like DDoS, injections, data theft, and more.
Between 2021 and 2030, there will be a projected 996% surge in the number of API attacks. And attacks are increasing not just in regularly but in cost. As threats escalate, the security standards must follow suit. A layered strategy delivers the intelligent, adaptive defense today's APIs demand.
To learn more about security in an API-first world, check out the Kong eBook Leading Digital Transformation: Best Practices for Becoming a Secure API-First Company.
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma R
Meet Emily. She’s an API product manager at ACME, Inc., an ecommerce company that runs on dozens of APIs. One morning, her team lead asks a simple question: “Who’s our top API consumer, and which of your APIs are causing the most issues right now?”
In the last two parts of this series, we discussed How to Strengthen a ReAct AI Agent with Kong AI Gateway and How to Build a Single-LLM AI Agent with Kong AI Gateway and LangGraph . In this third and final part, we're going to evolve the AI Agen
In my previous post, we discussed how we can implement a basic AI Agent with Kong AI Gateway. In part two of this series, we're going to review LangGraph fundamentals, rewrite the AI Agent and explore how Kong AI Gateway can be used to protect an LLM
This is part one of a series exploring how Kong AI Gateway can be used in an AI Agent development with LangGraph. The series comprises three parts: Basic ReAct AI Agent with Kong AI Gateway Single LLM ReAct AI Agent with Kong AI Gateway and LangGr
What Is RAG, and Why Should You Use It? RAG (Retrieval-Augmented Generation) is not a new concept in AI, and unsurprisingly, when talking to companies, everyone seems to have their own interpretation of how to implement it. So, let’s start with a r
In February 2024, Kong became the first API platform to launch a dedicated AI gateway, designed to bring production-grade performance, observability, and policy enforcement to GenAI workloads. At its core, Kong’s AI Gateway provides a universal API
