Secure Cloud Native APIs and Microservices

Cloud native applications combine a growing number of hosts and microservices, with a variety of compute options and technology stacks. As we mention in the main launch announcement for our latest updates, these complex architectures are only going to become more prevalent. 

But securing the web applications and APIs that underpin these architectures has been a challenge for security teams due to their ever-changing nature and the lack of coverage from existing web security solutions. 

With the latest update to Prisma Cloud, we’re delivering a security solution designed to secure cloud native APIs and microservices infrastructure with multiple layers of protection.

 

Integrating Deep WAAS Capabilities with Prisma Cloud

Prisma Cloud provides visibility and protection across multi- and hybrid-cloud environments. This includes both the cloud service provider (CSP) resources and services users configure, as well as the applications running on VMs, containers, Kubernetes and serverless

 

Prisma Cloud architecture highlighting WAAS protection coverage, including the management console, platform support from the Prisma Cloud agent, and what is protected (web attacks, bots and automation, app DoS attacks and API abuse.
Prisma Cloud architecture highlighting WAAS protection coverage.

 

By integrating deep web application and API security (WAAS) capabilities into our platform and unified agent framework, DevOps, application security professionals and security architects get a seamless platform that also includes vulnerability management, runtime defense and access control capabilities. Here are a few of the capabilities in this new module that help secure cloud native APIs and microservices.

 

Auto-Discovery of Unprotected Web Applications and APIs

Prisma Cloud Radar already delivers a real-time network topology of application communications integrated with vulnerability, compliance and runtime status. With these new WAAS capabilities, it now also automatically identifies running web applications and APIs along with their protection status.

 

Prisma Cloud Radar displaying web application protection status
Prisma Cloud Radar displaying web application protection status.

 

OWASP Top 10 Protection

Prisma Cloud can easily be configured to alert on and prevent against leading attack scenarios as part of the OWASP Top 10, including SQL injection, cross-site scripting (XSS), Shellshock protection, brute-force login attacks and more.

 

Web Application and API Security configuration screen in Prisma Cloud
Web Application and API Security configuration in Prisma Cloud.

 

In addition, Prisma Cloud now offers the ability to disable, alert to, prevent or ban offending clients in these scenarios based on specific rule configurations for each application.

 

API Protection

Web applications have been moving away from monolithic designs and shifting to microservices-based architecture, most commonly implemented using cloud native technologies like APIs. With the new WAAS module, Prisma Cloud can enforce security for these critical infrastructure components. 

 

API protection configuration window in Prisma Cloud.
API protection configuration in Prisma Cloud.

 

Users can set specifications provided through Swagger and OpenAPI files, or set definitions using API paths, allowed HTTP methods, parameter names, input types, value ranges and more. Once set, users can then define automated responses to requests which do not comply with the API’s expected behavior, such as sending an alert or banning an IP from accessing the API for a short period of time.

 

File Upload Protection

For applications that allow users to upload files, Prisma Cloud can be set to alert on or enforce file upload restrictions using fine-grained control (allow, alert or prevent) based on file extension type, including audio, compressed archives, documents, images and video. 

 

To prevent spoofing, the file content of these widely-used formats is inspected to validate its stated type, and to ensure it matches the filename extension.

 

File upload protection parameters in Prisma Cloud across different types of files.
File upload protection parameters in Prisma Cloud.

 

Additional Capabilities

Prisma Cloud also provides and/or supports:

  • Access control based on IP address or client geo-location: Prevent web access for clients originating from specific IPs, networks or countries.
  • HTTP header-based web application protection: Define criteria for allowing or denying access to web applications based on HTTP header names or values.
  • Centralized policies across any cloud native architecture: Prisma Cloud provides unified protection across hosts, containers, Kubernetes applications and serverless. Web application and API protection is supported across these leading technologies with centralized policy controls and management.

 

Begin Using the WAAS Module

The capabilities highlighted above are automatically available to Prisma Cloud users who deploy the Prisma Cloud Defender to protect host or container runtimes. 

Learn more on our dedicated Web Application and API Security webpage.

 


Secure Today,
for a Better
Tomorrow
Join us at IGNITE’20