min of reading
March 19, 2020

Why use API Gateway and Service Mesh to ensure information security

Carlos Pinheiro
Architectural Consultant Sr
Extensive experience in IT architecture and software project management, with advanced knowledge of API, SOA, software engineering, business process management, and IT services.
More about the author

Security is a critical factor in the digital strategy of organizations. The Estado das APIs no Brasil 2017 (“State of APIs in Brazil”) Report[1], conducted by Sensedia in partnership with IDC proves that security is the most worrying factor in the API strategies of organizations.

The result of this survey reinforces the importance of adequate security management.

In this sense, an API management platform gains even more prominence in ensuring information security in times of the General Data Protection laws and microservices. Conversely, even monolithic applications are evolving, and currently, a good portion of them already exposes REST APIs, which facilitates integration, but which, without adequate governance, may ultimately expose organizations.

In this context, we notice a tendency for organizations to decentralize technical decisions by distributing responsibilities through squads. In this article, we analyze the impacts of security decentralization for development squads and the role of API Gateway and the Service-Mesh in ensuring the application of best security practices.


One must ensure that security practices are implemented in all system interfaces, that is, across all APIs. In a decentralized environment, ensuring that the best security practices are implemented is a complex task. It also implies a great effort by the security team to inspect solutions for vulnerabilities after they are implemented. It is much more convenient for such aspects to be prevented, if possible, by freeing developers from decisions on these aspects. To learn more details on how to protect the organization from the OWASP Top Ten, read the article Top 10 Riscos de Segurança na Web (OWASP 2017) e como mitigá-los com API Management (“Top 10 Security Risks on the Web (OWASP 2017) and how to mitigate them with API Management”) [2].

Solution developer skills

We have noticed that solution developers, whether they include apps or backend services, are most often concerned with enforcing business rules while often overlooking major security aspects. On the other hand, programmers find it difficult to deal with complex aspects related to data security and protection [3], as they are better prepared to deal with programming logic and development frameworks.

Project restrictions

We also noticed that highly project-oriented organizations, when faced with pressure on project deadlines, tend to become lax in terms of security. For this reason, we consider that decisions related to information security should be governed at the corporate level, removing from the projects the main decisions concerning aspects of information security.

Technological diversity

Large organizations usually have a complex and heterogeneous IT environment, involving applications with different languages ​​and technology. New technologies can enable some innovations and bring advantages, but diversity brings some challenges, such as:

  • How to ensure that security standards are implemented correctly across different languages ​​and technologies?
  • The same implementation must be deployed in each technology.
  • Once a vulnerability is detected or even when the security mechanisms evolve, maintenance points are multiplied.

The implications are more strongly related to two IT goals, related to the non-optimization of IT resources and the impact on IT agility [4].

API Gateway and Service Mesh

In the scenario we are describing, API Gateway and Service Mesh play the key role of standardizing security in the interfaces of services while ensuring the most modern application of security means. This reduces the risk of attacks and allows a quick response that would otherwise be much more difficult. On the other hand, it streamlines IT by removing the complexity in applications that provide the service, allowing developer teams to actually focus on the code that generates innovation for the business. API Gateway thus centralizes communication with customer and partner applications, regulating incoming traffic from outside the organization [5] while Sevice Mesh [6] takes care of the communication between microservices within the organization’s internal network. In addition to security, API platforms and Service Mesh address, among other cross-cutting themes:

  • Governance
  • Versioning
  • Monitoring
  • Analytics

Please note that we have listed a few important capabilities as an example, but the list is not limited to these themes. These combined tools are great business accelerators that help ensure the application of best practices and security policies while addressing cross-cutting themes on north-south and east-west traffic. Finally, they simplify the architecture by removing application developers’ concerns about these and other non-functional requirements, releasing them to do what they do best, that is, developing apps and business features.

Read also





[1] “Report: APIs’ state in Brasil 2017 - Sensedia y IDG”. [Online]. Available at:  https://page.sensedia.com/pesquisa-o-estado-das-apis-brasil-2017/

[2] Nicholas Gimenes, “Top 10 Security Risks in the Internet and how to mitigate them with API Management”, Sensedia, 21-nov-2017. [Online]. Available at:  https://sensedia.com/api/owasp-2017-top-10-riscos-seguranca-apis/

[3] S. Haselböck e R. Weinreich, “Decision Guidance Models for Microservice Monitoring”, in 2017 IEEE International Conference on Software Architecture Workshops (ICSAW), 2017, p. 54–61, doi: 10.1109/ICSAW.2017.31.

[4] “COBIT. A Business Framework for the Governance and Management of Enterprise IT”. ISACA, 2012.

[5] “What is the API security?” [Online]. Available at:  https://www.redhat.com/pt-br/topics/security/api-security

[6] Claudio Oliveira, “Service Mesh: What it is and why it should be considered”, Sensedia, 04-set-2019. [Online]. Available at:  https://sensedia.com/api/service-mesh-o-que-e

Thanks for reading!