Akana Platform Free Trial

Get Started Today »

Ryan Bagnulo

Security is an essential element of any organization’s API strategy. While API security shares a lot of aspects that are common to both website security and network security, it’s also fundamentally different both in terms of usage patterns as well as the unique areas of additional risks that microservices and sidecars are susceptible to. For instance, APIs move the boundary of interaction from the web tier to the backend applications, microservices and data sources directly.

Securing the microservices mesh with an API Gateway is a best practice that API providers and microservices mesh builders can put in place to prevent unauthorized data access, loss of data integrity, or the degradation of the quality of service.

Emerging microservices architectural concepts such as sidecars and platforms to inject sidecars into container pods present DevOps teams with new security challenges to solve as new layers of abstraction are introduced into an already complex system of components and protocols.

The following juxtaposition of open source servicemesh 1.0.1, beta and alpha features compared to version 8.4 of the Rogue Wave Akana API Platform clearly illustrates why it is imperative to leverage the features of a mature API Gateway architecture on the edge of the cloud and in the core of the servicemesh for proper authentication, authorization, mediation, and resiliency.

For additional information on securing the edge API and microservices mesh download this full white paper.

 

Microservices mesh of Istio Sidecars Rogue Wave Akana API Gateway Platform
Deny Checker 1.0.1 Stable v8.4 Mature
Allow and deny rules configurable with a policy administration declarative user interface (UI)
List Checker 1.0.1 Stable v8.4 Mature
Allow and deny rules configurable with a policy administration declarative UI
Pluggable Key/Cert Support for Istio CA 1.0.1 Stable v8.4 Mature
Integrated Java PKI and HSM keystores.
More info: Using external keystore
Service-to-service mutual TLS 1.0.1 Stable v8.4 Mature
With the ability to enforce mutual TLS 1.2
Kubernetes: Service Credential Distribution 1.0.1 Stable v8.4 Mature
Policy decision point (DB) and policy enforcement point (Gateway) contract management architecture
VM: Service Credential Distribution 1.0.1 Beta v8.4 Mature
Policy decision point (DB) and policy enforcement point (Gateway) contract management architecture
Mutual TLS Migration 1.0.1 Beta v8.4 Mature
Client certificate management is self service for apps consuming mutual TLS APIs
More info: How to implement 2-way SSL
Traffic Control:
Label/content based routing, traffic shifting
1.0.1 Beta v8.4 Mature
Visual Process Designer to create custom traffic flows using the branch, split, and join process activities
Resilience features:
Timeouts, retries, connection pools, outlier detection
1.0.1 Beta v8.4 Mature
Resilience features with many QoS policy templates and integrated health status monitoring of a container’s Outgoing HTTP connection pool statistics, Incoming HTTP thread pools, database connection pools, container memory usage, usage monitoring queues, JMS connections, container configuration state, and container lifecycle
Gateway: Ingress, egress for all protocols 1.0.1 Beta v8.4 Mature
Protect the microservices mesh layer of the network with a tier of edge DMZ API Gateways, rather than connecting the mesh controller directly to a cloud load balances
TLS termination and SNI support in gateways 1.0.1 Beta v8.4 Mature
The API platform’s support of SNI means that multiple keys/certificates can be used for one HTTPS endpoint. You can have individual identity keys/certificates per API implementation. Each implementation can use its own key/certificate for its own clients.
Authentication policy 1.0.1 Alpha
Operators specify Istio authorization policies using .yaml files. Once deployed, Istio saves the policies in the Istio Config Store.
v8.4 Mature
Easily link different identity providers and policies to different APIs and application contracts with an integrated Akana OAuth server, Bearer, MAC, JWT, JOSE token support, and easy integration with user directories and OpenID Connect providers.
More info: Using the JOSE Security Policy
End User (JWT) Authentication 1.0.1 Alpha
Istio only supports JWT origin authentication.
v8.4 Mature
A key advantage of the Bearer token is that the Resource Server can validate the token, without having to go to the Authorization Server. This is more efficient in terms of performance, especially when the Resource Server and OAuth Provider are different vendors. Signed and Encrypted JWT Tokens are also supported by the Akana API Gateway.
OPA Checker 1.0.1 Alpha
All policies in OPA are written in Rego policy language (V1)
v8.4 Mature
Create authentication domains and policies declaratively with a web browser
Authorization (RBAC) 1.0.1 Alpha
The RbacConfig object is a mesh-wide singleton with a fixed name value of default. You can only use one RbacConfig instance in the mesh. Like other Istio configuration objects, RbacConfig is defined as a Kubernetes CustomResourceDefinition (CRD) object.
v8.4 Mature
The Akana OAuth Authorization service includes such activities as initiating a resource owner grant, authenticating the resource owner with the corresponding resource owner domain, and obtaining the resource owner’s authorization for the application’s access to the resources, with the specific scopes requested.  Calls to this service are always initiated by the resource owner, never by the application. Since the authorization endpoint is only used in three-legged scenarios, these operations are only used by three-legged grant types (Authorization Code and Implicit).
Additionally, Licenses and Scopes provide authorization functionality to apps and APIs with or without the use of an OAuth token.
More info: Authorization server authorization service
Enabling custom filters in Envoy 1.0.1 Alpha v8.4 Mature
Filtering of protocol headers, path, query parameters, and XML or JSON message parts with XPath, JSONPath, RegEx using policies, or custom processes
More info: Using regular expressions in policies
Share Button

Add a comment