Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Helsinki & North 2023 - API Security in...

apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden

apidays Helsinki & North 2023
API Ecosystems - Connecting Physical and Digital
June 5 & 6, 2023

API Security in the era of Generative AI
Matt Feigal, Partner Engineering Manager at Google Cloud Sweden

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

June 29, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. Generative AI’s Impact to API Ecosystem New and Exacerbated Risks

    Patterns for Success 01 02 03 Agenda 00 Hi! (It’s Me)
  2. Place Image Here Generative AI - Empowering Everyone Generative AI

    is a powerful tool which will be used by all personas in the API ecosystem. Service developers, API Owners, Network Administrators, Product Owners, Data Analysts, Security Analysts... Everyone moves ‘up’ the mountain ****EXAMPLES***** ChatGPT, Google’s Bard, PaLM, LLMs, Imagen, Midjourney, DALLE-2… Codey, Copilot, AutoGPT, LangChain Novice Guru 01
  3. Gen AI Use Cases in the API Ecosystem Collaborator Operations

    and Toil Service Replacement GenAI APIs • Complete Tasks via Chat, IDE, etc • Text, Code, Images, Media, Video, Slides, APIs, Documentation, … • Boilerplate, Transcoding, Monitoring, Observability, … • Last mile - Replace Services with Prompt → Data Model • New Ecosystem (and Business Model) with LLM, Data, and LLM extensions (langchain) • AIs calling your APIs? AIs calling other AIs?
  4. Reference Cloud Architecture API Gateway Microservices Serverless Functions Load Balancing

    Databases, Caches, Other Stores… On-Prem DC External SaaS Providers
  5. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
  6. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
  7. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
  8. Generative AI increases the need for API Management and API

    Security. APIs are the contract for machine-led creation and consumption. New and Exacerbated Risks 02
  9. API misconfigurations and Bots are identified as potential two of

    the top three threats Source: https://venturebeat.com/2021/07/27/fugue-36-percent-orgs-suffered-serious-cloud-breach-in-last-year/
  10. 14 Source: API Economy | Google Cloud “By 2022, API

    abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.” - Gartner, API Security: Protect your APIs from Attacks and Data Breaches, Mark O'Neill, Dionisio Zumerle, 2021 170% Apigee saw over 170% increase in abusive API traffic last year API Security Threats are Evolving and Increasing
  11. ! 84% of companies saw an increase in the number

    of bot attacks over the last year (Jan ‘21) Bot Attacks Source: Forrester Consulting - State Of Online Fraud And Bot Management $24B Lost to credit card fraud by US businesses Payments Fraud ! $1T Lost to abandoned checkouts or rejected transactions 53 days spent on average fully resolving a bot attack ! API Abuse ! Account Takeover 90% Increase in 2021 alone 50% of organizations experienced an API security incident in the last 12 months 77% of organizations that experienced an API security incident delayed a rollout Web Security Threats are Evolving and Increasing
  12. Your APIs need to be secured across all points of

    interaction Threat Protection Behavior Based Signature Based Payload Complexity Spikes OWASP (SQL injection, input validation, etc.) Access Controls OAuth2 API Keys Products Scopes Quota/Spike Arrest Logging Self Service & SSO IAM Integration Prov. & DeComm OpenId Connect JWT SAML Security Governance Global Policies RBAC management Data Masking Compliance: ISO, PCI-DSS, HIPAA, SOC1&2, CSA STAR Data Security TLS Two-way TLS IP Access Control Encrypted Data Store and Cache User App Developer API API team Backend
  13. Reference Cloud Architecture with Gen AI On-Prem DC API Gateway

    Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice External SaaS Providers
  14. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
  15. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
  16. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
  17. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
  18. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
  19. Mitigating Risks: • Paved Path for Developers • Defense in

    Depth • Shield your Generative AI • Escape Hatches • Buying Expertise 03 Emerging patterns for success
  20. Place Image Here Paved Path for Developers • Easy to

    be compliant and secure • Single Path through the system • Idiomatic, Integrated Tools • Prioritize Developer Velocity (first class support for ephemeral or test APIs)
  21. On-Prem DC Defense In Depth Apigee Microservices Serverless Functions Load

    Balancing Databases, Caches, Other Stores… WAF Adv API Security SWG SWG CAPTCHA External SaaS Providers
  22. Shield your Generative AI • Don’t expose your ML API

    directly! • Same lessons you’ve learned shielding a database from direct API calls! • Incoming: Context engineering Prompt Engineering • Outgoing: ◦ DLP checks / IP checks ◦ Accuracy checks ◦ Brand safety checks
  23. Place Image Here Escape Hatches / Fast Responses • Multi-tier

    applications have different release cadences and risk factors. • Escape Hatches are quick-twitch Policy Enforcement Points, Filters, and Shields • API Gateway/Proxy and Service Mesh are great resources for dealing with the following scenarios…
  24. Specific request that exploits a vulnerability. SQL injection, parser errors,

    de/ser bugs, protocol edge cases, etc. Security Breach - such as returning too much data from one or more services across a variety of scenarios. Escape Hatches / Fast Response scenarios Poison Pill Data Exfiltration Specific requests or request volume that are targeted at overloading specific services or backends. Targeted (D)DoS Slow, sporadic, or steady requests to problematically extract data from your APIs Scraping Bots
  25. The Security Space: Buying Expertise • Build, vs Buy (or

    Host) • Core to your Mission? • Expertise and Level of Investment • Cost versus Potential Cost
  26. Deny list Traffic Data Models Dashboard Advanced API Security Apigee

    runtime Enforcement How Mitigation Block or mark the bot traffic depending on your needs API Traffic Data Continuously monitor billions of API calls to identify anomalies Machine Learning Models & Rules Continuously recognizing bot patterns and creating new rules Apigee Advanced API Security
  27. Know when API are misconfigured or experiencing abuse. Managing API

    Security Configs Align API proxies to security standards to avoid misconfigured API proxies Recommend actions to improve the security posture
  28. Bot & Abuse detection powered by ML Clustering alerts to

    reduce volume and provides the relevant context for quick resolution
  29. Recap • GenAI: New Opportunities, New Risks • Machine-to-Machine APIs

    • Integrated APIM is Critical • Build Escape Hatches and Buy Expertise when appropriate
  30. Thank you. Discussion & Demo at our booth today! Want

    to learn more? cloud.google.com/apigee Try Apigee for free for 60 days https://apigee.google.com/welcome Join our Partner network [email protected]; mattfgl@; [email protected]