Announcing the Trapize Secure Digital Services Broker for Simplifying Enterprise API Security

API security is a hot topic across enterprises of all types in the digital economy. Understanding what data is authorized to go where is not enough to address data loss prevention. It is critical for security administrators to know what data is being passed internally and with business partners, particularly as malicious ‘bad actors’ get more sophisticated. The next step in the evolution of this market is a turnkey product that can manage API security in real-time that is independent of platform (cloud, hybrid, premise), and simple for security administrators.

The team is excited to announce the release of the Trapize Secure Digital Services Broker (SDSB) that offers security administrators a single turnkey product that simplifies API and microservices security. While there are many disparate API security tools on the market, Trapize has productized and improved the functionality into a complete cohesive product.

Until today, API security tools fell into three primary market categories:

  1. Cloud Access Security Brokers (CASB) – focus is on API security between an enterprise and cloud hosted services such as O365, SFDC, ADP. They rely in part on the cloud providers API security capabilities. A few examples of CASB vendors include Forcepoint and Skyhigh.
  2. API Management Platforms – focus is on creating, publishing, and protecting an API. Development teams who create APIs that are consumed both internally and externally rely on these tools as they write their applications. A few example API management vendors include Apigee, CA, and Mulesoft.
  3. Proxy Management – focus is on decrypting all enterprise traffic, scanning, and reporting on any anomalies. Different solutions are typically used for different types of traffic – web, email, chat. A few examples of proxy management vendors include Symantec/Bluecoat, Barracuda, and Zscaler. 

While each of these tools has their strengths, no single tool does it all until now. Figure 1 below compares the functionality of each of these tools against the new Trapize SDSB.

Key features of the Trapize Secure Digital Services Broker:

  1. Complete Product – plug & play installation and a simple, but effective product to be used by security administrators
  2. Real-time – ensuring that all data performance, governance, and compliance requirements are done in real-time
  3. Analytics – discover, map, and classification of data is done automatically, and this intelligence leads to the effectiveness of this solution
  4. Security Enforcement – while an API call may include 100s of different data fields, instead of denying the entire call, the data that needs to be tokenized or redacted can be done in real-time without breaking or modifying the application

Deployment scenarios, where we bring value to our customers:

  • API security on all external connections. Many enterprise security groups struggle managing shadow IT, for example managing all AWS accounts. AWS has tools such as Macie for API management, however, Macie must be turned on first for these tools to work.  Enterprises can have hundreds of test/dev accounts that can leak data that the security team is not aware of. The Trapize SDSB provides immediate value by delivering API security on all external connections.
  • Real-time security enforcement with analytics. Containers and microservices are all the rage and TLS connections are established between them, but this approach is lacking. The Trapize SDSB provides immediate value by delivering a turnkey API platform across the entire environment that can do real-time security enforcement — with analytics and monitoring — that empowers security administrators to control where what data goes.


Network Security Architecture in a Digital World

As businesses evolve and expand their digital footprint it has become clear that users and applications are everywhere.  So too are the APIs and microservices that are producing and consuming data from thousands of sources.  This vastness is driving enterprises to add data security compliance to the list of network security functions.

Everyone knows that hackers exploit the weakest point within an ecosystem and then use it to gain access to higher value targets.  The digital hacker has learned how to bypass a standard security stack, by working within an allowed network connection and acting “normally” to avoid detection and to spoof an application firewall.  For instance, if a hacker gets access to an enterprises’ partner system and uses a trusted encrypted connection to gain access to an enterprises system, a next generation firewall and IPS have trouble identifying this.

Therefore, with continued exploits, application security is not enough to manage data security, so enterprise network security is being asked to move further up the OSI stack to help ensure sensitive data does not unintentionally leave the organization.  This would address IT’s challenge of protecting sensitive data as it is exposed to more partners, mobile users, IoT devices, and applications which often resides outside of the direct control of enterprise IT.

The one thing that enterprise IT still has control of is the enterprise network, and through a next generation security architecture, enterprise IT can still ensure that sensitive data does not leave the company without permission.  This new network security architecture for a digital world includes the following:

  1. Zero Trust Networking – No users or applications on a network should be able to talk to each other without an explicit policy that allows them.  Whitelist routing means eliminating default routes and broadcast domains and using the first packet of a new session to ensure approved access to the requested resource, whether that be another user or application.
  2. Encryption –  As part of not trusting anyone or anything on the network, encrypting data-at-rest is not good enough.  As such, all data in motion should be encrypted end-to-end, from user to application.  TLS is the most common way of doing this and the latest 1.3 release promises to make this even more secure.
  3. Data Security – Network intelligence that decrypts a TLS session to ensure enterprise data identity, access controls, and compliance requirements.  This includes being able to identify and classify data plus tokenizing or redacting sensitive data and creating anomaly alerts.

To enforce the above architecture, a combination of network routers with tunnels, firewalls, proxies, and digital service brokers must be used.  Figure 1 shows this next generation network security stack in reference to the OSI model layers 3-7.

Layers 3-7 - Network Security Functions

Figure 1. OSI Model Layers 3-7 – Network Security Functions

Secure Digital Services Brokers (SDSBs) are new to the market and decrypt, analyze and act, and then re-encrypts traffic flowing through a network.  The SDSBs functions include:

  • Identification – Automatically identifying data through natural language and numeric algorithms such as social security, credit card, and passport numbers.
  • Classification – Indexing the data and categorizing it into groups which enterprise governance rules can be used to determine how to treat the data
  • Tokenization or Redaction – For data that is determined to be sensitive or private, an additional level of encryption can be applied, or the data can be altogether deleted
  • Anomaly Detection – Creating a baseline of what data is going where, setting thresholds, and generating real-time alerts when thresholds are exceeded
  • Logging – Keeping records of what data went were for tracking and auditing
  • Analytics – Ability to create customized reports

As regulations continue to expand their requirements, such as PCI 3.3 and GDPR, this too will drive enterprises to seek help from their network security team in managing data security.  The blame game is over and everyone in the enterprise is accountable for data security; including enterprise IT network security.

Learn more about the Trapize Secure Digital Services Broker (SDSB) user interface concepts by viewing our short product demo.

Cold War ethics: ‘trust but verify’ for microservices oversight of critical data flows

End-to-end encryption is becoming a popular industry trend while at the same time causing nightmares for the IT department. With the emergence of SD-WAN technology and other private routing strategies, it is getting easier for enterprises to fully direct and encrypt traffic flow between application servers within the enterprise and between an enterprise and its business partners.

While there is no argument over the need to keep private data private, the question becomes who are you keeping it private from?

Increasingly applications are being built using a distributed set of microservices. These services fall into three broad categories:

  1. microservices the enterprise built for themselves,
  2. microservices built by third party contractors hired by the enterprise, and
  3. microservices the enterprise consumes from the public cloud.

This collection of disparate microservices is making it difficult for enterprises to know what information is being exchanged as the application fragments collaborate to build a cohesive solution.

As we were beginning to form Trapize, I had a conversation with a CIO who stated their data center was built out of microservices that they mostly subcontracted out to third parties. Yet given the level of encryption between services, the CIO/IT team/enterprise had no real way of knowing or understanding the data that was flowing across – or out of – their network. While the applications worked, this enterprise had managed to create a data super-highway that was private…even to themselves.

At Trapize, we think the cold-war mantra of ‘trust but verify’ still applies. It is critical for an enterprise to understand the underlying data that is moving in and out of their network. Very few enterprises would bypass email or message scanning but many today have no visibility into the critical data flows from systems they know have access to private or sensitive data. We have built a security proxy designed to specifically address this new threat surface.  Check us out.

Sizzle versus simple: what’s your approach to digital transformation?

We here at Trapize spend a lot of time talking to businesses that are beginning to transform themselves into modern digital enterprises.  Most of what we talk about revolves around the sizzle topics: compliance, governance, and data loss prevention (DLP).  While those are great topics to address, it is important to remember that the simple things matter too.

When an enterprise is choosing to consume a digital service, an implicit contract is made with the service provider that the particular service remains both available and reliable.   More and more we hear of enterprises requiring service level agreements (SLAs) for services that are now crucial in the day to day operation of their business.   A complete service outage – or even a consistent delay in processing requests – can have a disastrous, sometimes cascading effect on internal business systems.  Even if a service is moving data packets in and out, it is crucial to have a view that shows the service is actually performing the task the business is paying for.

The modern digital enterprise needs a way to effectively monitor, ensure availability, and measure the performance and functionality of the services it has built the business around.

The Trapize Digital Services Broker (DSB) monitors the performance of all the digital services within an enterprise.   Built-in support for secure socket layer inspection (SSLi) allows the DSB to not just ensure that encrypted data packets are flowing in the network but to also inspect the flow for service functionality.  The DSB monitors and understands the service response time and actual responses to ensure the service is positively performing as expected and not just passing packets around.  Reports summarize the use of a service by requests and responses and monitor the service on a packet-by-packet basis for latency, delays, and service faults in the encrypted tunnels.  Alerts and alarms can be tied to these metrics allowing the business to quickly identify service issues and quickly rectify them before critical services fail.

Et tu, Brute? Are firewalls and SD-WANS enough protection when using cloud APIs?

As enterprises are rapidly transforming their businesses with cloud-based digital services that are being driven by APIs, they are starting to realize more and more, that their firewall is providing less and less protection.  Interestingly, it’s not that the firewall technology has gotten noticeably poorer, it’s that today’s data streams are bypassing this traditional security model altogether.

Enterprises are beginning to realize – many with surprise and dismay – the need to shift their security model away from sessions being managed by a firewall to a more application-centric control model like a software-defined wide area network (SD-WAN).  These new software architectures enable IT to replace older tunneling technology – like multiprotocol label switching (MPLS) – and quickly build dynamic connections with trusted partners.

All good so far. The problem now becomes: Do you trust your friends?

For businesses to achieve regulated compliance and internal governance, they need to have positive controls over all digital transactions, specifically the “5 Ws” – What, Who, When, Why, Where. At the end of the day, it doesn’t really matter if you shared corporate data with your partners via a simple HTTPS session via the firewall or routed that data over a new private connection.  The question a corporate compliance or governance officer needs to answer is: Should that data have been shared in the first place?

So, while we probably could not have helped Julius Caesar with his problems of betrayal, the Trapize proxy can help our customers ensure that as your protected data passes to and from your partners, that your business retains full control while engaging in the API economy.

Is Shadow IT going to sink your enterprise?

We’ve all heard the saying “loose lips sink ships” and now imagine how that translates to enterprise data, where sometimes exchanging sensitive data with a partner is a good thing, sometimes not so much.

Today we’re finding that corporate infrastructures at most large enterprises have sprung more than a few leaks.  This situation has been driven by the rise of cloud-based digital services, where corporate IT is under increasing pressure to open ‘pin holes’ in a firewall or add DNS exceptions to satisfy business needs.

Unfortunately, this is a risky approach that could compromise the safety and integrity of the enterprise network, particularly since the term ‘pin hole’ implies a small, manageable exception to the otherwise rigid controls that a firewall supplies.  In reality, this couldn’t be further from the actual risk introduced with this approach.

With every pin hole or exception added, a ‘digital waterway’ is created where data can flow in and out of the enterprise.  Adding another layer of complication, this data is often encrypted so centralized compliance and governance solutions have no visibility into these streams.  This has given rise to the popular term “shadow IT”, where core IT has ceded control of previously protected corporate data to the line of business application using cloud-based digital services.  All in all, a pretty perilous situation and unacceptable to regulators who provide oversight.

While some cloud security solutions gaining in popularity today think that scanning for data that has left your enterprise gives you control, we think having the right tools – a sound strategy and navigational instruments – is a safer approach.

So why are enterprises putting their data at risk?

At Trapize, we have built an in-line proxy that not only decrypts this data, ours has a packet-by-packet deep understanding of the data in an application flow.  So, as data enters or leaves the enterprise perimeter, Trapize can apply policies on a service-by-service basis.  It’s a better approach to keep your enterprise afloat.

On the horizon, a new approach for digital transformation

Yesterday I wrote about my meetings with a diverse group of IT leaders who often ask “Are ESB’s dead?”. Today I’d like to continue that topic and review the complications many are experiencing on their digital transformation journey.

At the very foundation is the need to safely exchange data and services across their organization with agility. Yet today many IT organizations are experiencing some principled headwinds – and obvious blind spots – as their cloud-based digital traffic is traversing firewalls with little IT visibility or control of the digital services being used, consumed and exchanged.

Covered in an earlier post, IT is caught without the required tools necessary to address core business functions, yet is on the hook for agile innovation from the line of business stakeholders. So, what’s an enterprise to do?

Based on my conversations, there are three clear options but all that entail some cost or risk:

  1. add connectors to external services for the ESB;
  2. write custom middleware to wrap the services;
  3. or just ignore the problem.

From experience, most organizations are doing some version of all three.  So, let’s ‘pro/con’ the opportunity cost when putting those three options in practice.

To remain compliant to the mandatory regulations, the enterprise must write a connector for each API or develop middleware wrappers for the APIs in use. The cost estimates that I’ve seen range from $200K for each connector, to $400K for middleware wrappers.  We also can’t forget the hidden cost to your organization which typically drives a 12-18 month delay in deploying new services.  Sadly, the cost in both dollars and time have led many lines of business to simply take option three, poke a hole in the corporate firewall, and assume the business risk.  Probably not a good idea.

There is a new approach on the horizon, Trapize offers an in-line proxy that provides positive control on a request-by-request basis. This approach – not only quick and affordable – is the only way to achieve true enterprise compliance.   Trapize is a digital service broker that supports many of the most popular services enterprises are using today.

Is the sun setting on Enterprise Service Bus?

I frequently meet with a diverse group of IT leaders and I’m often asked “Are ESB’s dead?” The short answer is, it’s complicated.

Since the 1990’s ESBs have played a critical role for companies by providing a ‘walled garden’ to protect access to core business functions. ESBs have delivered assurances that business applications were communicating with legally required compliance and governance.

However, as a business’s critical services have shifted from proprietary applications deployed inside an enterprises perimeter to cloud-based applications and services, the role of the ESB is being called into question. As those mission-critical applications have moved outside of the ‘circle of trust’ that the ESB provided, enterprises have struggled to keep the same level of control mandatory to meet industry regulatory requirements.

These technology shifts have fundamentally changed the way a modern enterprise conducts its business today.  Lines of business inside an enterprise are more often relying directly on Google, IBM, Microsoft and others for digital services rather than accessing core IT functionality.  Studies have shown the average enterprise uses over 1400 unique cloud services in the normal course of its day to day business.

So, while new best-in-class services arise almost daily – and are necessary to remain competitive in this agile environment –  businesses need to quickly adapt. Particularly since the same confidential enterprise data is being used and exchanged by those services – which gave rise to the ESBs in the first place – yet without the necessary regulatory requirements.

Well, what’s an enterprise to do?  From my conversations, there seem to be three options: add connectors to external services for the ESB, write custom middleware to wrap the services, or just ignore the problem.

Over here at Trapize, we have a better idea. We provide ESB-level compliance and governance while enabling the enterprises continued use of cloud-native APIs.  Our high performance in-line proxy gives the same level of tight control in minutes and at a fraction of the cost that an enterprise is spending.

So, is the sun setting on ESB’s?   No, of course not, we believe they’re just reaching retirement.

The ABC’s of regulatory Alphabet Soup

There is an ever-increasing array of acronyms that businesses need to worry about.  From FISMA to HIPAA to GDPR, they all have one thing in common: they typically consume large amounts of mindshare across an organization – but none more than IT departments.

For many enterprises, they are struggling to understand how regulations impact their business and whether they have the internal controls and sound business systems to proactively address potential risks.  If your company has custodial care of personal or private data, or processes that data on behalf of your customers then you need to protect it.

Gone are the days when consequences are only applied when a breach occurs. As the modern enterprise shifts to the use of cloud-based digital services to conduct business, they have opened new paths for exposure. Think about it, nearly every business – especially those in financial services or healthcare – has custodial care of some type of private data.  Everything from social security numbers to drug prescription information to bank account numbers.  All this data falls under the purview of one regulation or another.

Keeping pace with compliance mandates is challenging, especially since the regulations simply lay out a set of ‘consequences’ that businesses are subjected to if they don’t take the necessary steps to safeguard customer data.  The regulations aren’t prescriptive, so it forces businesses to handle a customer’s private data using the same process used to store and protect its own sensitive corporate information.

At Trapize we were founded because we recognized there is a compliance and governance gap when the enterprise needed to consume services exposed within their networks. Trapize offers a new approach to keep your business safely out of the alphabet soup.

APIs help digital services ‘talk’ but does IT know what’s being exchanged?

For the last several years businesses have been on a digital transformation journey and today APIs are proliferating. Last year alone, estimates show that a typical enterprise required integrations with over 1,400 unique cloud services. It’s clear that businesses are consuming multiple services from multiple sources.

But businesses face compliance and control challenges in their shift to digital services driven by APIs: cloud-based traffic is traversing firewalls with little IT visibility or control, there’s increased areas for threat as your organization adds/consumes services, and there’s a lack of existing tools to address this exposure when consuming these services. Gartner predicts that “through 2020, 95% of cloud security failures will be the customer’s fault.”

Consequently, IT is caught in the middle trying to address core business functions – controlled stability, internal platforms, service-oriented architectures – while navigating pressing requirements like agile innovation from their line of business stakeholders. But with more than 150,000 third-party APIs available today, business leaders are faced with not only a blind spot but also the discovery of ‘shadow IT’ teams when trying to secure and manage company-wide APIs.

This has led to a critical need for brokered intermediation and digital services governance to monitor usage and protect data. Some questions to consider:

  • Who has access to API-driven business services?
  • When, where and how they are being used?
  • What type data is being exchanged that may be bypassing your existing security controls?

If there is a gap in oversight, Trapize provides the missing piece. Trapize is a digital service broker that gives your IT organization real-time visibility and control into the behavior and value of the digital services that drive your business. There is no other solution available today that provides compliance, governance and security for the API-based microservices your enterprise consumes. Trapize alerts you of potential risks, ensures compliance requirements like FISMA and HIPAA are met, and acts as a control point to enforce data security policies, protecting your enterprise against threats.