Story

When evaluating API Gateway platforms, there are a number of capabilities to consider. Below I have provided a list of such capabilities for API Gateways that you should score the platforms (and vendors) on. This is a high level list, and I have a more detailed list if interested in reviewing for evaluation purposes. Also, this article is focused just on API Gateway capabilities. I will publish 2 more articles focused on 2 more capabilities to evaluate platforms (and vendors) on: (1) API Management (2) API Portals.

Please reach out to me if you would like to discuss or review these capabilities in more detail with your team at: Jordan.Braunstein@visualintegrator.com . I have personally evaluated and score-carded the following API Gateway Platforms (in no particular order):

• MuleSoft
• WSO2
• Kong
• AWS API Gateway
• Azure API Gateway
• Gravitee
• Boomi
• Redhat 3Scale
• CA Layer 7
• Apigee

Pricing and Vendor Overview

1. Core Product Pricing Model
2. Product Support Model

Security

1. Support for HIPAA and PHI Protection
2. PCI Compliance
3. Use of Open Source Software and Plugins that are vulnerable to Security
4. Support for OAuth 2.0, JWT, OpenID Connect and SAML
5. Security Policies provided out of the box (OAuth 2 validation, IP Filtering, Client Certificates, JWT Validation, OpenID Connect, Integration with External Identity Provider)
6. Integration with Identity Management Platforms

Infrastructure and Architecture

1. Scalability and Redundancy
2. Support for Containers, Docker, etc.
3. Cloud vs On-Premise Installations
4. Support for Serverless Architecture on a Cloud Provider

Configuration and Development Features

1. Installation Complexity
2. Custom Policy Development Kit
3. Throttling solution
4. Documenting APIs on the Gateway

Enterprise Runtime Features

1. Logging
2. Monitoring and Alerts, including Integration with External Monitoring Platforms
3. Technical Analytics
4. Caching
5. Micro Gateways
6. Business Analytics (Scraping or dripping Payloads for BI)
7. Training
8. Debugging and Testing Tools

Story

Here are the top Security Best Practices when architecting your Microservices and API solutions. To review a complete Microservices and API Security checklist and guide, please contact me at Jordan.Braunstein@visualintegrator.com and I will be happy to share with you or your team.

External Facing Microservices or APIs:

Use OAuth 2.0 security policy with the grant type based on the type of the application consuming the microservice or API:

• For mobile and SPA apps, best practice is to secure using Implicit or Authorization Code grant.
• For trusted partners (i.e. Trading Partners), use client-credentials grant but only if the communication is secured via MTLS or IP-based filtering

Internal Facing Microservices or APIs

• Client ID Validation policy to validate Client ID/Secret
• Enable Client ID security on all internal APIs
• For example, Experience API is secured by JWT, which, in turn, invokes internally facing Process or System API secured by Client ID/Secret/

 User Identity or Role Based Authorization

• Recommend using JWT token with digital signature
• Create a custom API policy to validate the digital signature if needed, or invoke the validate endpoint of the Identity Management platform.
• “Bundle” user credential such as customer_id or LDAP ID as part of the JWT token payload.
• In the custom policy or inside the API itself, validate the JWT token contains the bundled customer id.

Additional Considerations:

• Custom API Policies for schema validations, SQL injections, HTTP Inspections, Size Limits, Pattern Scans.
• Data Sensitivity and encryption techniques
• Sidebands to API Gateway for outside threats on API Gateways
• Source Code and library scans.

Infrastructure Security:

• Network security
• WAF rules
• API Gateway policies (i.e. rate limiting)
• Audit logging on the gateway
• Security monitoring of the Microservices or API infrastructure