Airlock Gateway 7.4
What is the Airlock Gateway?
The Airlock Secure Access Hub contains the three products Airlock WAF, Airlock API and Airlock IAM. However, when it comes to downloading, deploying or documenting the Secure Access Hub, there are only two technical components: The Airlock Gateway and Airlock IAM. Hence, we are using the term Airlock Gateway from now on when referring to the technical component which provides the functional building blocks for Airlock WAF and the content filtering functionality of Airlock API. This mainly affects technical documentation, architecture blueprints or release announcements such as this one.
The Airlock Gateway has always been available as an appliance. With the launch of the Airlock Microgateway, it is now also available as a container.
Version 7.4 of the Airlock Gateway brings important new features for Airlock WAF and Airlock API. The possibility to secure REST interfaces with API keys is an important milestone for Airlock API. This allows API access control and compliance with API usage plans to be managed centrally. The REST API for configuration has also been extended by a multitenancy option, which allows delegation of certain operational tasks, such as showing maintenance pages.
API Keys and Usage Plans
API keys are a proven method for doing access control on APIs. In addition to user authentication, API keys are used to identify and control technical clients. API endpoints may be combined into logical APIs, which are controlled by rate limits via usage plans.
The new feature of Airlock API is based on a tight integration of the Airlock Gateway with Airlock IAM. This allows the individual strengths of the two components to complement one another:
- The Airlock Gateway acts as a policy enforcement point for API key validation, access control and usage plan monitoring in the live data stream.
- Airlock IAM serves as a policy decision point and takes care of the administration of technical API clients, usage plans and API keys.
This feature requires Airlock IAM version 7.2 (STS) or higher.
Multitenancy for REST API
Responsibility for applications is often distributed throughout the company, while the operation of security infrastructure such as the Airlock Gateway is controlled centrally. Often, application managers would like to take over recurring maintenance work or simple configuration adjustments on Airlock Gateway themselves. Therefore, we have introduced multitenancy on the REST API. Configuration objects are assigned to individual tenants in the Configuration Center. With an API key specifically generated for each tenant, a REST client is now restricted to accessing only its assigned objects and selected REST endpoints.
There are many other improvements in the new release, such as improved deny rules, the validation of responses against OpenAPI specifications, session tracking by headers instead of cookies and an upgrade of Elasticsearch and Kibana.
For a complete overview and detailed change log, Please refer to the release notes on Techzone.
Modern IT security architectures are evolving towards micro segmentation and zero trust architectures. Modern software development is done in agile teams and follows DevOps paradigms. The Airlock Microgateway is the perfect fit for these requirements. The new component is a lightweight alternative to the Airlock Gateway appliance and can be used as a container in microservice architectures. The development was done in close cooperation with DevOps professionals and pilot customers.
With the advent of microservice architectures and DevOps practices, central security gateways concentrating many tasks for all services on a single system have increasingly been challenged. The various stakeholders may have differing requirements, timelines and policies for the single system they share.
Security should be part of a deployment pipeline from the very first minute. Adding security only as a last step before going live frequently leads to security teams being blamed for missed deadlines, to unhealthy compromises and ongoing tension between teams. As developers are asked to embrace operational responsibility for their services, they require a security component that
- is lightweight (for coupling with microservices),
- belongs to them (so they can take responsibility) and
- follows DevOps best practices for automation and configuration.
This is where the Airlock Microgateway comes in. The Airlock Microgateway is based on the time-tested security core of the Airlock Gateway appliance. It supports most security features, such as Deny Rules, OpenAPI specifications as well as JWT validation and examination. It has no graphical UI but uses a stripped down configuration file based on a DSL, for simple integration in developer tooling.
The Airlock Microgateway is designed to run on Kubernetes and OpenShift. It follows an individual release schedule.