Complete API Security with Cequence UAP and CDN Integrations

January 16, 2023 | by Matt Keil

UAP & CDN API Protection Integration

With the underlying goal of improving web application user experience, content delivery network (CDN) solutions such as Akamai, Amazon, CloudFlare, and Fastly were originally designed to help organizations optimize their public facing web and API-based application content delivery. Over time, CDNs added application security like web application firewalls (WAFs), bot prevention, and distributed denial of service (DDoS) protection to increase their revenue streams and to provide these additional customer benefits:

  • Reduced Infrastructure Cost: Stopping volumetric threats at the edge means reducing hosting and bandwidth cost. 
  • Improved Performance: Single-pass architecture reduces multiple hops necessary for different security solutions, thereby improving performance and latency characteristics of the apps.
  • Reduced Security Workload: Most WAAP or cloud WAF solutions are offered as managed security solutions, thereby helping the already struggling security staff.

Delivering web application security at the CDN layer made perfect sense with industry analysts supporting the architecture by creating the web application and API solution category (WAAP). 

API Security Challenges Introduced by CDNs

Developers have come to love APIs because of their inherent flexibility and power – each API includes all necessary commands, payload, and data to produce engaging user interactions. As organizations continue to move aggressively towards an API-first development methodology to support their public facing applications, the solution architecture becomes more complex while the customer benefits delivered by all-in-one CDN and WAAP offerings are lessened. Some of the API security challenges CDNs face include: 

  • Increased costs: APIs do not require caching, and routing that traffic it through a CDN merely increases costs. 
  • Latency: Widespread API adoption often means incorporating cloud-based services, microservices and API gateways outside of the CDN, introducing latency from traversing multiple cloud resources. 
  • Lack of API visibility: The distributed nature of API development and the wide variations in use cases means CDNs may never see some of the APIs. 
  • Low efficacy bot protection: The clientless nature of an API means that CDN-based JavaScript and SDK integration-dependent bot protection cannot be implemented effectively.
  • Weak API risk analysis: CDNs lack in-depth analysis required to uncover coding errors that can lead to vulnerabilities easily exploited by bad actors. 

To improve API security without losing the caching benefits of a CDN, an alternative approach is to route the API traffic to a dedicated, SaaS-based API protection solution where it can be inventoried, analyzed, and protected. 

Check out our Growing List of Technology Integrations

Cequence Unified API Protection and CDN Integration

The Cequence Unified API Protection (UAP) solution addresses the API security challenges of a CDN-based approach with full API protection lifecycle coverage. Deployed as a SaaS or as a hybrid architecture, the Cequence UAP integrates with leading CDN offerings from Akamai, CloudFlare, Amazon CloudFront and Fastly to provide customers full API protection without losing the benefit of CDN web content caching. Cequence UAP features include:

  • Discover Public Facing API Attack Surface: API development and deployment is often distributed across many groups, introducing the risk of APIs deployed outside of a CDN purview. The Cequence UAP solution solves that challenge by continuously assessing your public facing APIs and resources to provide an attackers view of your organization’s attack surface, including cloud hosting services, any associated API endpoints, and servers that may be vulnerable to Log4j and LoNg4j exploits. 
  • Centralized Inventory Tracking of Known and Unknown APIs: The Cequence UAP solution integrates with CDNs and a range of API gateways to provide centralized API visibility and inventory tracking of all the APIs deployed and managed by the respective API gateways. Unregistered or unknown APIs are also discovered, allowing security and development to migrate those shadow APIs to the respective API gateway to ensure security and governance policy consistency. 
  • Strengthen Compliance and Data Governance Controls: Cequence helps organizations enforce compliance and governance controls with proactive API risk analysis and remediation. Predefined and custom risk assessment rules help organizations teams find and remediate coding errors that introduce sensitive data handling and authentication vulnerabilities that can lead to data governance and compliance violations. 
  • Detect Sophisticated API Attacks: Going beyond basic protections that CDNs can provide, Cequence UAP analyzes your APIs using ML-based analysis based on a threat database with millions of records and behavioral fingerprinting to detect and continually track sophisticated API attacks as they retool to evade detection.
  • Flexible, Real time Mitigation Responses: Real time responses to API attacks range from basic block and rate limiting to HTTP header insertion and deception, all executed in real time, per policy or per app, without reliance on integration with third-party WAFs.

Review the API gateway integration guides for from Akamai, CloudFlare, Amazon CloudFront and Fastly to learn how the Cequence UAP can protect your APIs and reduce your CDN expenditures. 

Schedule Your Free API Security Assessment

Matt Keil

Author

Matt Keil

Director of Product Marketing

Additional Resources