Security is a critical factor in the digital strategy of organizations. The Estado das APIs no Brasil 2017 (“State of APIs in Brazil”) Report, conducted by Sensedia in partnership with IDC proves that security is the most worrying factor in the API strategies of organizations.
The result of this survey reinforces the importance of adequate security management.
In this sense, an API management platform gains even more prominence in ensuring information security in times of the General Data Protection laws and microservices. Conversely, even monolithic applications are evolving, and currently, a good portion of them already exposes REST APIs, which facilitates integration, but which, without adequate governance, may ultimately expose organizations.
In this context, we notice a tendency for organizations to decentralize technical decisions by distributing responsibilities through squads. In this article, we analyze the impacts of security decentralization for development squads and the role of API Gateway and the Service-Mesh in ensuring the application of best security practices.
One must ensure that security practices are implemented in all system interfaces, that is, across all APIs. In a decentralized environment, ensuring that the best security practices are implemented is a complex task. It also implies a great effort by the security team to inspect solutions for vulnerabilities after they are implemented. It is much more convenient for such aspects to be prevented, if possible, by freeing developers from decisions on these aspects. To learn more details on how to protect the organization from the OWASP Top Ten, read the article Top 10 Riscos de Segurança na Web (OWASP 2017) e como mitigá-los com API Management (“Top 10 Security Risks on the Web (OWASP 2017) and how to mitigate them with API Management”) .
We have noticed that solution developers, whether they include apps or backend services, are most often concerned with enforcing business rules while often overlooking major security aspects. On the other hand, programmers find it difficult to deal with complex aspects related to data security and protection , as they are better prepared to deal with programming logic and development frameworks.
We also noticed that highly project-oriented organizations, when faced with pressure on project deadlines, tend to become lax in terms of security. For this reason, we consider that decisions related to information security should be governed at the corporate level, removing from the projects the main decisions concerning aspects of information security.
Large organizations usually have a complex and heterogeneous IT environment, involving applications with different languages and technology. New technologies can enable some innovations and bring advantages, but diversity brings some challenges, such as:
The implications are more strongly related to two IT goals, related to the non-optimization of IT resources and the impact on IT agility .
In the scenario we are describing, API Gateway and Service Mesh play the key role of standardizing security in the interfaces of services while ensuring the most modern application of security means. This reduces the risk of attacks and allows a quick response that would otherwise be much more difficult. On the other hand, it streamlines IT by removing the complexity in applications that provide the service, allowing developer teams to actually focus on the code that generates innovation for the business. API Gateway thus centralizes communication with customer and partner applications, regulating incoming traffic from outside the organization  while Sevice Mesh  takes care of the communication between microservices within the organization’s internal network. In addition to security, API platforms and Service Mesh address, among other cross-cutting themes:
Please note that we have listed a few important capabilities as an example, but the list is not limited to these themes. These combined tools are great business accelerators that help ensure the application of best practices and security policies while addressing cross-cutting themes on north-south and east-west traffic. Finally, they simplify the architecture by removing application developers’ concerns about these and other non-functional requirements, releasing them to do what they do best, that is, developing apps and business features.
 Nicholas Gimenes, “Top 10 Security Risks in the Internet and how to mitigate them with API Management”, Sensedia, 21-nov-2017. [Online]. Available at: https://sensedia.com/api/owasp-2017-top-10-riscos-seguranca-apis/
 S. Haselböck e R. Weinreich, “Decision Guidance Models for Microservice Monitoring”, in 2017 IEEE International Conference on Software Architecture Workshops (ICSAW), 2017, p. 54–61, doi: 10.1109/ICSAW.2017.31.