Can Prisma Cloud provide API security for your cloud?

Spoiler alert: it probably can (your mileage may vary), but your cloud architecture determines whether it is the best solution.

Introduction

API security is getting more and more attention. We hear this from analyst companies like Gartner, and we see it in the media. And it makes sense from the perspective that DevOps has changed the architecture of many applications today.

In this blog post, I will examine whether Prisma Cloud can be a viable candidate for API security for your cloud resources, and even if it could be, couldn’t you just utilize the native services offered by your public cloud vendor instead?

Why API security?

In 2021, Gartner predicted that by 2022, application programming interface (API) attacks would become the most frequent attack vector. To confirm this on a global scale, we usually rely on data provided by the OWASP API Security project – however, results are still not in. Nevertheless, we can track cyber-attacks that were caused by API attacks. For example, the recent Optus breach was due to broken user authentication in the exposed API. Also, the Twitter data breach from 2021 involved exploiting an API vulnerability.

In DevOps ways-of-working decoupling components and using microservices are popular approaches. But this also means that a modern application has many APIs – both for external communication but also between the individual components. And with more APIs comes a larger attack surface.

Diagram: API security with Prisma Cloud

What is Prisma Cloud Web-Application and API Security?

Prisma Cloud is a security platform for your cloud – see the text box for more details. One of the components included in Prisma cloud is a distributed web application firewall (WAF) that can inspect and enforce HTTP-based web applications, including TLS and gRPC.

The web application firewall is aptly named Web-Application and API Security (WAAS).

WAAS operates as a transparent application proxy that is deployed so that it interferes very little with your application and development pipeline while still detecting and protecting. For instance, in Kubernetes, the proxy is deployed as a DaemonSet that integrates with the network so that you don’t need to touch your application or even the pod that runs the application. WAAS operates as a proxy for your cloud workloads, such as virtual machines, containers, serverless functions, and “serverless container” solutions on most public clouds.

Prisma Cloud

Prisma Cloud is a security platform for your cloud, meaning that it is a suite of security products that protects your resources in the cloud. Gartner has termed this product category Cloud Native Application Protection Platform or CNAPP. Prisma Cloud is built for the cloud and to do its job it integrates directly with the “cloud fabric” i.e. cloud-native services. It supports the big cloud vendors Azure, AWS, GCP, etc., and can also support workloads residing on premises.

One of the services in the Prisma Cloud suite is API security which is what we’re looking at here.

Conscia API Security recommendations

In Conscia we have created a list of API Security recommendations. This list has been shared in our Conscia ThreatInsights newsletter.

Our list of API Security recommendations includes actions on what you need to do to secure your API. The paragraph below addresses how you could utilize the Palo Alto Network’s Prisma Cloud platform to implement these actions.

Recommendation 1

Start by discovering and cataloging every API that is used. Having such a repository will help your cybersecurity team manage the risks involving APIs.

How can you do this?
Prisma Cloud can automatically learn the API endpoints in your app, show a usage report, and let you export all discovered endpoints. When API discovery is enabled, Prisma Cloud inspects API traffic routed to your protected applications.

Recommendation 2

Set up automated security tests for every API. Functional tests are important as they ensure that your application runs as expected. However, security tests are vital because they probe the reliability and security of the API.

How can you do this?
Prisma Cloud utilizes API definition files which can either user provided or generated by the platform using discovery. Prisma Cloud scans the API definition and generates a report for any errors, or shortcomings such as structural issues, compromised security, best practices, and so on.

Recommendation 3

APIs must fail securely – moreover, you need to know the consequences of that failure.

How can you do this?
You can configure the actions Prisma Cloud applies to requests that do not comply with the API’s expected behavior.

Recommendation 4

If you own any threat prevention suites, add your APIs to them. You need to shut down the APIs if anything suspicious is detected until the event can be investigated and remediated.

How can you do this?

Prisma gives you visibility into your application API health, including API endpoint’s path, vulnerabilities in the underlying workloads and a risk profile-based misconfigurations, best practices, exposure to sensitive data, and access control.

The API health information can be forwarded to your favorite threat prevention suite thereby giving you the capability to act on suspicious events.

Recommendation 5

Do a review of whom the API was designed to serve and tailor the access accordingly. For external APIs, make sure that you limit data exposure to what is needed only.

How can you do this?
Prisma Cloud allows for control over how applications and end-users communicate with the protected web application. Custom rules are expressions that give you a precise way to describe and detect discrete conditions in requests and responses.

Recommendation 6

Services should not fail in an open or accessible state. In case of an API attack, be sure you can prevent any access via API.

How can you do this?
Requests that trigger a Prisma Cloud protection are subject to one of the following actions: Alert, prevent, or (temporarily) ban.

Summary

Why would you use a 3rd party solution and not just the clouds own services? The answer is not binary – maybe the cloud own service does suffice for your use case.

An often-used pattern in public cloud is to utilize a cloud-native API gateway that fronts your workloads, that being containers, serverless functions, or VMs. And this API gateway can be paired with WAF and DDoS, thereby providing a perimeter broad protection.

However, if you need to protect communication between services running in the cloud using L7 inspection, you will often need another solution. There are cloud-native tools that you could utilize to create a solution, but these often require some do-it-yourself and putting things together.

Another case for Prisma Cloud could be that you have workloads in more than one cloud and would like to avoid building and maintaining multiple solutions – in that case, a 3rd party API security solution with support for your chosen cloud providers could be attractive. Note that this argument here goes towards any 3rd party cloud security solution, not just Prisma Cloud.

Contact
Contact us now