API Academy

Sponsored by Layer7

A very large building with a huge light coming from it.

CISSP Domain Principles and API Management Solutions

By Balaji Radhakrishnan, PMP, CISSPPosted on

Recently, I took my CISSP exam and passed this industry recognized certification. As part of my preparation, I was trying to apply practical use-cases to those CISSP domain principles.

Recognizing how important API security is to our customers, I was trying to associate our Layer7 API Management solutions with CISSP security principles. This not only helped me dwell deep on those domain principles but also gain momentum on practical applications.

Security and Risk Management

As we know, APIs provide easy and secured integration to enterprise digital assets and they form an essential building block for the digital ecosystem (App Economy). We also know that security and protection are two key pillars in the life cycle of an API. Businesses can build required Confidentially, Integrity and Availability as part of securing Information (APIs) using Layer7 API Management’s Encryption, Hashing, and Clustering features. This aligns with the fundamental information security principal called the “CIA Triad“.

Similarly, Layer7 API Gateway provides a complete solution for the “IAAA†model.

  • In the process of Information Security, identification and user authentication is one of the key challenges that enterprises face in today’s cyberspace. Businesses require a solution that provide greater assurance on that users are who they claim to be, and Layer7 API Gateway provides several options for enterprises on both user identification to authentication whether it is Knowledge-Based, Possession-Based, Biometric, or Location-Based.
  • In the same manner, user authorization is another key component where our Gateway offers numerous options like Role, Constrained, Context or Content-based authorization to the endpoints, where our APIM solution also support the Least Privileges and Need-to-Know restrictions via policy customization.  
  • And finally, Layer7 API Management solutions cover a wide range of auditing and logging principles which are in line with SEIM requirements.

Privacy and Data Protection

Our Certification and Key Management features guarantee a wide range of CBK principles on non-repudiation to mutual authentication. From regulatory and contractual obligations PoV for healthcare, credit cards management, or federal sectors, all can easily acclimate their applications to observe these regulations via policy governance, enabling auditing/logging and policy customizations, thereby supporting PI, PII, NPII & PHI mandates.

Security Governance and Vulnerability Management 

Security Governance is another key CISSP principal where Layer7 API management is aligned. We use precise categorizing of information (API’s) based on data value (responses) and protect them accordingly using various Roles and Privileges, thereby creating a logical virtualization using secure zones and OOTB assertions that would protect the application endpoints from known OWSAP Vulnerabilities. Examples include: misuse, hijack, XSS, CSRF and code/SQL injections, broken access control, security misconfiguration, insufficient logging and monitoring. 

Security Operation and Patch Management

  • Security Operation is strongly affiliated with Layer7 API management. This includes policy recovery using in-build policy history and revision management and enabling secure configuration or release management via Gradle plug-in and GMU tools and technology, which consents easy integration of existing CICD pipeline or secured migration of policies across various regions/environments.
  • Similarly, based on regular reference to CVE & NVD (Common Vulnerability Exposure and National Vulnerability Database), Layer7 API management support delivers quarterly service packs or ad-hoc Security Patches to ensure the product is protected from all know threats and vulnerabilities.

Conclusion

CISSP is an inch deep and a mile wide certification that connects various aspects of Information Security and Privacy protection. Using the examples above, hopefully you are able to further secure your API Management infrastructure.