Announcing the Trapize Secure Digital Services Broker for Simplifying Enterprise API Security

API security is a hot topic across enterprises of all types in the digital economy. Understanding what data is authorized to go where is not enough to address data loss prevention. It is critical for security administrators to know what data is being passed internally and with business partners, particularly as malicious ‘bad actors’ get more sophisticated. The next step in the evolution of this market is a turnkey product that can manage API security in real-time that is independent of platform (cloud, hybrid, premise), and simple for security administrators.

The team is excited to announce the release of the Trapize Secure Digital Services Broker (SDSB) that offers security administrators a single turnkey product that simplifies API and microservices security. While there are many disparate API security tools on the market, Trapize has productized and improved the functionality into a complete cohesive product.

Until today, API security tools fell into three primary market categories:

  1. Cloud Access Security Brokers (CASB) – focus is on API security between an enterprise and cloud hosted services such as O365, SFDC, ADP. They rely in part on the cloud providers API security capabilities. A few examples of CASB vendors include Forcepoint and Skyhigh.
  2. API Management Platforms – focus is on creating, publishing, and protecting an API. Development teams who create APIs that are consumed both internally and externally rely on these tools as they write their applications. A few example API management vendors include Apigee, CA, and Mulesoft.
  3. Proxy Management – focus is on decrypting all enterprise traffic, scanning, and reporting on any anomalies. Different solutions are typically used for different types of traffic – web, email, chat. A few examples of proxy management vendors include Symantec/Bluecoat, Barracuda, and Zscaler. 

While each of these tools has their strengths, no single tool does it all until now. Figure 1 below compares the functionality of each of these tools against the new Trapize SDSB.

Key features of the Trapize Secure Digital Services Broker:

  1. Complete Product – plug & play installation and a simple, but effective product to be used by security administrators
  2. Real-time – ensuring that all data performance, governance, and compliance requirements are done in real-time
  3. Analytics – discover, map, and classification of data is done automatically, and this intelligence leads to the effectiveness of this solution
  4. Security Enforcement – while an API call may include 100s of different data fields, instead of denying the entire call, the data that needs to be tokenized or redacted can be done in real-time without breaking or modifying the application

Deployment scenarios, where we bring value to our customers:

  • API security on all external connections. Many enterprise security groups struggle managing shadow IT, for example managing all AWS accounts. AWS has tools such as Macie for API management, however, Macie must be turned on first for these tools to work.  Enterprises can have hundreds of test/dev accounts that can leak data that the security team is not aware of. The Trapize SDSB provides immediate value by delivering API security on all external connections.
  • Real-time security enforcement with analytics. Containers and microservices are all the rage and TLS connections are established between them, but this approach is lacking. The Trapize SDSB provides immediate value by delivering a turnkey API platform across the entire environment that can do real-time security enforcement — with analytics and monitoring — that empowers security administrators to control where what data goes.

 

Network Security Architecture in a Digital World

As businesses evolve and expand their digital footprint it has become clear that users and applications are everywhere.  So too are the APIs and microservices that are producing and consuming data from thousands of sources.  This vastness is driving enterprises to add data security compliance to the list of network security functions.

Everyone knows that hackers exploit the weakest point within an ecosystem and then use it to gain access to higher value targets.  The digital hacker has learned how to bypass a standard security stack, by working within an allowed network connection and acting “normally” to avoid detection and to spoof an application firewall.  For instance, if a hacker gets access to an enterprises’ partner system and uses a trusted encrypted connection to gain access to an enterprises system, a next generation firewall and IPS have trouble identifying this.

Therefore, with continued exploits, application security is not enough to manage data security, so enterprise network security is being asked to move further up the OSI stack to help ensure sensitive data does not unintentionally leave the organization.  This would address IT’s challenge of protecting sensitive data as it is exposed to more partners, mobile users, IoT devices, and applications which often resides outside of the direct control of enterprise IT.

The one thing that enterprise IT still has control of is the enterprise network, and through a next generation security architecture, enterprise IT can still ensure that sensitive data does not leave the company without permission.  This new network security architecture for a digital world includes the following:

  1. Zero Trust Networking – No users or applications on a network should be able to talk to each other without an explicit policy that allows them.  Whitelist routing means eliminating default routes and broadcast domains and using the first packet of a new session to ensure approved access to the requested resource, whether that be another user or application.
  2. Encryption –  As part of not trusting anyone or anything on the network, encrypting data-at-rest is not good enough.  As such, all data in motion should be encrypted end-to-end, from user to application.  TLS is the most common way of doing this and the latest 1.3 release promises to make this even more secure.
  3. Data Security – Network intelligence that decrypts a TLS session to ensure enterprise data identity, access controls, and compliance requirements.  This includes being able to identify and classify data plus tokenizing or redacting sensitive data and creating anomaly alerts.

To enforce the above architecture, a combination of network routers with tunnels, firewalls, proxies, and digital service brokers must be used.  Figure 1 shows this next generation network security stack in reference to the OSI model layers 3-7.

Layers 3-7 - Network Security Functions

Figure 1. OSI Model Layers 3-7 – Network Security Functions

Secure Digital Services Brokers (SDSBs) are new to the market and decrypt, analyze and act, and then re-encrypts traffic flowing through a network.  The SDSBs functions include:

  • Identification – Automatically identifying data through natural language and numeric algorithms such as social security, credit card, and passport numbers.
  • Classification – Indexing the data and categorizing it into groups which enterprise governance rules can be used to determine how to treat the data
  • Tokenization or Redaction – For data that is determined to be sensitive or private, an additional level of encryption can be applied, or the data can be altogether deleted
  • Anomaly Detection – Creating a baseline of what data is going where, setting thresholds, and generating real-time alerts when thresholds are exceeded
  • Logging – Keeping records of what data went were for tracking and auditing
  • Analytics – Ability to create customized reports

As regulations continue to expand their requirements, such as PCI 3.3 and GDPR, this too will drive enterprises to seek help from their network security team in managing data security.  The blame game is over and everyone in the enterprise is accountable for data security; including enterprise IT network security.

Learn more about the Trapize Secure Digital Services Broker (SDSB) user interface concepts by viewing our short product demo.