Digital transformation is affecting more and more industries and accelerating the evolution of web technologies. Former showcase projects become legacy systems within just a few years. This development affects IT security solutions too. The trend clearly points towards a convergence of application security, API protection and access management.

Web application firewalls must adapt responsively

Only ten years ago, we had to painstakingly convince our customers of the concept of a Web Application Firewall (WAF), and explain how these differ from conventional network firewalls. Today, the WAF market is global, worth billions of dollars and highly competitive. But there are already signs of impending rejection. The traditional HTML Web applications, for which WAFs are designed, are increasingly being replaced by modern single-page applications (SPA). SPAs consist of a Javascript application that runs in the browser and simultaneously accesses several APIs in the back end. These APIs are mostly REST based and use JSON as the transport format. Protecting these APIs requires new technologies, as the basic interaction paradigm between client and server has changed.

By 2021, 65% of new applications will be built as a mesh of multichannel apps and multigrained back-end services that communicate via APIs.

[1] Critical Capabilities for Full Life Cycle API Management, Gartner, 2018

API security is also web security

Traditional API gateways are, however, only partially suitable for securing the new type of web applications. These are mostly designed for SOAP web services, which are used primarily in machine-to-machine communication, require enterprise service buses and are trapped in the straitjacket of highly complex standards. This does not fit with the brave new world of REST, which is characterised by agility and lightness.

Far more relevant, however, is the fact that modern APIs are used by very different clients: traditional web applications, browser-based SPAs, native and hybrid smartphone apps, ‘things’ or even other APIs. Since an internal API can also be addressed by web clients, the API Gateway suddenly has requirements that are similar to those of a WAF. IT security issues such as cross-site scripting or injection attacks thus become relevant on all channels. Unfortunately, many API Gateways have never heard of the OWASP Top 10 and Content Filtering.

APIs need access management

Of course, content filtering is very important for protecting APIs. However, the most important reason for using API gateways is access control [1]. Access to APIs must be secured using standards such as OAuth 2.0, OpenID Connect and SAML. This includes not only the technical authorisation of "clients", for example an app, but also user authentication in particular. This, in turn, requires integration with Web Single Sign-on and Identity and Access Management (IAM).

IAM and the customers

The identities discussed here are very heterogeneous and include a variety of "external" identities, such as those of customers or partners. Unlike workforce IAM systems, so-called customer IAM (cIAM) systems are better designed to manage such external users. cIAM systems provide easy scalability with large user numbers, and a seamless user experience through optimised and integrated onboarding and self-service UIs. The handling of social identities (BYOI) and high levels of flexibility in the authentication process (adaptive authentication) are crucial here.

Airlock SAH - More than the sum of its parts

Well, where does all this lead to? WAFs need to protect APIs, API gateways need to learn web security, APIs need access control, and the users encountered are difficult to manage using conventional enterprise IAM systems. In addition, we all know the disadvantages of "Spot Solutions", which do not look beyond their own horizons and leave open a great many gaps at the transition points.

The Airlock Secure Access Hub integrates these requirements into a coordinated and coherent solution consisting of a WAF, an API gateway, and a customer IAM system. Many security experts are now convinced that this is the right and future-oriented architecture for sustainable IT security.


Learn more about the Secure Acces Hub


Inflexible organisational structures – an unexpected obstacle

However, another (at first glance rather unexpected) problem is less technical, but rather organisational. How do you buy a secure access hub within which diverse technologies can converge as a whole? Nowadays, the responsibility for these topics usually lies in different departments, such as the IT infrastructure, network operation, CISO, user administration or even marketing. The benefits of an integrated approach, such as lower total cost of ownership and faster times to market are, in turn, felt by the business, which is not usually involved in IT security procurement.

However, we actually already knew that: Digitisation not only changes technologies, but also encompasses business processes and dismantles inflexible organisational structures. Greater flexibility, collaboration and agility are needed. Ultimately, therefore, the ball is in your court. Is your company ready for the integrated IT security of the future?

Blognews directly to your inbox

The Airlock Newsletter informs you continuously about new blog articles.

Subscribe blognews

Comments 0

More interesting articles

Cyber Security Study

Cyber Security Study

Airlock Academy has been revamped!

Airlock Academy has been revamped!

Security in concrete terms - 2FA in the banking world

Security in concrete terms - 2FA in the banking world

Information for you

-Our whitepaper-

IT-security solutions

Digitalisation is presenting businesses with new challenges which go far beyond information technology. This primarily relates to an aspect which is becoming increasingly important: IT security.

Read our whitepaper to find out how IT-Security will become the pioneer of degitalization.

Request free of charge

Accelerate digitisation

To stay technically viable in this digital transformation, you must increasingly switch to hybrid cloud environments. This requires new security approaches as well as coordinated identity and access management.

Find out more in our whitepaper in collaboration with Deloitte, eperi and SHE.

Request free of charge

OWASP Top 10 for API Security

OWASP has created a new Top10 list for API Security. The top 10 listed reflect a broad consensus on what the most important API security issues are at the moment.

In our whitepaper you will learn how our Airlock API addresses the OWASP Top 10.

Request free of charge