Think Beyond the Perimeter: Secure Your APIs with East-West Visibility

Many security teams realize this and are increasing their focus on monitoring and securing east-west communication within the network or cloud perimeter. Most commonly, this begins with greater scrutiny of network-level communication among internal endpoints and workloads. However, the explosive growth in internal API use has created a second category of east-west communication, as internal applications and services communicate with one another programmatically.

Even though most organizations recognize the problem, many are still struggling to solve it. The volume of east-west network traffic, which generally exceeds north-west traffic by a wide margin, is one of the biggest complicating factors.

And, now, the introduction of a new category of east-west API communication is making the problem even bigger and more complex. APIs have very different risks and attack vectors than traditional network-based threats. In addition, since this new category consists of automated, machine-to-machine communication, the traffic volume can grow to become even more substantial.

As convenient as it was in the past to assume that all internal traffic can be implicitly trusted, this no longer reflects the realities of today’s threat landscape. Threat actors will inevitably exploit data center and cloud security weaknesses to gain unauthorized network, cloud, or system access. Whether or not these breaches will escalate into large-scale incidents hinges on an organization’s ability to detect threats in east-west traffic.

The sheer volume of east-west traffic, along with the fact that it is often assumed to be legitimate, work to the advantage of threat actors. Once they establish a foothold in a trusted environment, they will generally attempt to move laterally toward higher-value assets.

These efforts sometimes advance quickly, but they may also unfold over several months, with the threat actors blending their activities in with legitimate east-west traffic. What’s more, APIs add an entire new dimension to the east-west visibility and monitoring challenges.

Internal APIs are now widely used to make sensitive data and business workflows accessible to multiple applications. Internal APIs are likely assumed to be “safer,” since they should not be available outside the organization. But how would you know if they have been compromised?

You need to see and assess their behavior to know if your organization is safe. Ignoring API traffic is no longer an option. APIs provide a new and potentially devastating attack vector for threat actors attempting to move laterally within an on-premises or cloud environment.

In a more traditional breach scenario, a threat actor may need to go through the effort of escalating privileges and exploiting system-level vulnerabilities to move laterally. Internal APIs, however, make available an entirely new set of attack techniques.

In some cases, internal APIs may be implemented without the necessary security controls in place, since they are assumed to be inaccessible by outside parties. But even when sound security practices are used, vulnerabilities in API implementations are common. Too frequently, internal east-west APIs are misconfigured and unknowingly left exposed to the internet. If found, what was an east-west API can quickly become the source of a data breach.

Some attacks may not even require an API vulnerability; instead, the threat actor may simply abuse standard API functionality. This is particularly difficult to detect since it’s nearly indistinguishable from sanctioned API use. And even if an organization has a dedicated WAAP platform in place, it is generally focused on north-south API activity only.

When it comes to both east-west network traffic and API use, effective information discovery is a building block for your visibility, detection, and policy enforcement approach. Even if effective security capabilities are in place for east-west traffic, they will not be effective if they are operating with incomplete data.

Akamai Guardicore Segmentation uses an extensive collection of techniques to ensure that all endpoints and application workloads, as well as all the information flows between them, are discovered. This includes network-level collectors, host-based agents, cloud provider API integrations, and more.

Akamai API Security uses a similarly broad approach to discover all APIs in use across the organization, including rogue or shadow APIs that bypass standard systems and practices. This includes log collection from all available sources, including API gateways, content delivery networks, network devices, cloud platforms, and more.

Collectively, the discovery capabilities of Akamai Guardicore Segmentation and Akamai API Security help ensure that you have a complete view of east-west activity at multiple levels of your application stack.

Akamai Guardicore Segmentation allows you to visualize all the communication flows in your data center and/or cloud environments with a high degree of detail. You can use these insights to create granular Zero Trust segmentation policies that tightly control the communication flows between endpoints and application workloads.

In addition to blocking activity that does not comply with your segmentation policies, Akamai Guardicore Segmentation also uses Akamai threat intelligence to detect and alert you when suspicious activity appears in your east-west data center and cloud traffic.

Just as Akamai Guardicore Segmentation allows you to visualize and manage communication flows, Akamai API Security provides visibility into all your API activity, including east-west API use, and uses sophisticated behavioral analytics to detect API abuse that would otherwise be hidden within legitimate activity.

Akamai API Security generates information-rich alerts when suspicious API use is detected. It can also perform automated policy responses, such as revoking credentials or implementing rate limiting, through integrations with Akamai or third-party WAAP platforms.