apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden
0 likes173 views
The document discusses the significance of API security in the context of generative AI, noting that it amplifies existing risks and introduces new challenges for secure machine-to-machine interactions. It highlights the increasing incidence of API abuses, bot attacks, and the necessity for robust API management and security measures. Emergent patterns emphasize the importance of compliance, layered defense strategies, and leveraging expertise to mitigate risks effectively.
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden
- 1. API Security in the era of Generative AI Matt Feigal June 6, 2023 feigal@google.com; mattfgl@; mattfeigal@hachyderm.io
- 3. Apigee Partner Engineer 10 yrs @ enterprise developer / architect 10 yrs @ Google feigal@google.com; mattfgl@; mattfeigal@hachyderm.io
- 4. Generative AI’s Impact to API Ecosystem New and Exacerbated Risks Patterns for Success 01 02 03 Agenda 00 Hi! (It’s Me)
- 5. Place Image Here Generative AI - Empowering Everyone Generative AI is a powerful tool which will be used by all personas in the API ecosystem. Service developers, API Owners, Network Administrators, Product Owners, Data Analysts, Security Analysts... Everyone moves ‘up’ the mountain ****EXAMPLES***** ChatGPT, Google’s Bard, PaLM, LLMs, Imagen, Midjourney, DALLE-2… Codey, Copilot, AutoGPT, LangChain Novice Guru 01
- 6. Gen AI Use Cases in the API Ecosystem Collaborator Operations and Toil Service Replacement GenAI APIs ● Complete Tasks via Chat, IDE, etc ● Text, Code, Images, Media, Video, Slides, APIs, Documentation, … ● Boilerplate, Transcoding, Monitoring, Observability, … ● Last mile - Replace Services with Prompt → Data Model ● New Ecosystem (and Business Model) with LLM, Data, and LLM extensions (langchain) ● AIs calling your APIs? AIs calling other AIs?
- 8. Reference Cloud Architecture API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… On-Prem DC External SaaS Providers
- 9. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
- 10. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
- 11. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
- 12. Generative AI increases the need for API Management and API Security. APIs are the contract for machine-led creation and consumption. New and Exacerbated Risks 02
- 14. API misconfigurations and Bots are identified as potential two of the top three threats Source: https://venturebeat.com/2021/07/27/fugue-36-percent-orgs-suffered-serious-cloud-breach-in-last-year/
- 15. 14 Source: API Economy | Google Cloud “By 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.” - Gartner, API Security: Protect your APIs from Attacks and Data Breaches, Mark O'Neill, Dionisio Zumerle, 2021 170% Apigee saw over 170% increase in abusive API traffic last year API Security Threats are Evolving and Increasing
- 16. ! 84% of companies saw an increase in the number of bot attacks over the last year (Jan ‘21) Bot Attacks Source: Forrester Consulting - State Of Online Fraud And Bot Management $24B Lost to credit card fraud by US businesses Payments Fraud ! $1T Lost to abandoned checkouts or rejected transactions 53 days spent on average fully resolving a bot attack ! API Abuse ! Account Takeover 90% Increase in 2021 alone 50% of organizations experienced an API security incident in the last 12 months 77% of organizations that experienced an API security incident delayed a rollout Web Security Threats are Evolving and Increasing
- 17. Your APIs need to be secured across all points of interaction Threat Protection Behavior Based Signature Based Payload Complexity Spikes OWASP (SQL injection, input validation, etc.) Access Controls OAuth2 API Keys Products Scopes Quota/Spike Arrest Logging Self Service & SSO IAM Integration Prov. & DeComm OpenId Connect JWT SAML Security Governance Global Policies RBAC management Data Masking Compliance: ISO, PCI-DSS, HIPAA, SOC1&2, CSA STAR Data Security TLS Two-way TLS IP Access Control Encrypted Data Store and Cache User App Developer API API team Backend
- 18. New Risks: Meet the Generative AI Family Good Competent Bad Attacker Oops Buggy
- 19. Reference Cloud Architecture with Gen AI On-Prem DC API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice External SaaS Providers
- 20. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
- 21. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
- 22. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
- 23. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
- 24. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers
- 25. Mitigating Risks: ● Paved Path for Developers ● Defense in Depth ● Shield your Generative AI ● Escape Hatches ● Buying Expertise 03 Emerging patterns for success
- 26. Place Image Here Paved Path for Developers ● Easy to be compliant and secure ● Single Path through the system ● Idiomatic, Integrated Tools ● Prioritize Developer Velocity (first class support for ephemeral or test APIs)
- 27. On-Prem DC Defense In Depth Apigee Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… WAF Adv API Security SWG SWG CAPTCHA External SaaS Providers
- 28. Shield your Generative AI ● Don’t expose your ML API directly! ● Same lessons you’ve learned shielding a database from direct API calls! ● Incoming: Context engineering Prompt Engineering ● Outgoing: ○ DLP checks / IP checks ○ Accuracy checks ○ Brand safety checks
- 29. Place Image Here Escape Hatches / Fast Responses ● Multi-tier applications have different release cadences and risk factors. ● Escape Hatches are quick-twitch Policy Enforcement Points, Filters, and Shields ● API Gateway/Proxy and Service Mesh are great resources for dealing with the following scenarios…
- 30. Specific request that exploits a vulnerability. SQL injection, parser errors, de/ser bugs, protocol edge cases, etc. Security Breach - such as returning too much data from one or more services across a variety of scenarios. Escape Hatches / Fast Response scenarios Poison Pill Data Exfiltration Specific requests or request volume that are targeted at overloading specific services or backends. Targeted (D)DoS Slow, sporadic, or steady requests to problematically extract data from your APIs Scraping Bots
- 31. The Security Space: Buying Expertise ● Build, vs Buy (or Host) ● Core to your Mission? ● Expertise and Level of Investment ● Cost versus Potential Cost
- 32. Deny list Traffic Data Models Dashboard Advanced API Security Apigee runtime Enforcement How Mitigation Block or mark the bot traffic depending on your needs API Traffic Data Continuously monitor billions of API calls to identify anomalies Machine Learning Models & Rules Continuously recognizing bot patterns and creating new rules Apigee Advanced API Security
- 33. Know when API are misconfigured or experiencing abuse. Managing API Security Configs Align API proxies to security standards to avoid misconfigured API proxies Recommend actions to improve the security posture
- 34. Bot & Abuse detection powered by ML Clustering alerts to reduce volume and provides the relevant context for quick resolution
- 35. Recap ● GenAI: New Opportunities, New Risks ● Machine-to-Machine APIs ● Integrated APIM is Critical ● Build Escape Hatches and Buy Expertise when appropriate
- 36. Thank you. Discussion & Demo at our booth today! Want to learn more? cloud.google.com/apigee Try Apigee for free for 60 days https://apigee.google.com/welcome Join our Partner network feigal@google.com; mattfgl@; mattfeigal@hachyderm.io