How Apigee can help government agencies adopt Zero Trust
Customer Engineer, Google Public Sector
Securely sharing data is critical to building an effective government application ecosystem. Rather than building new applications, APIs can enable government leaders to gather data-driven insights within their existing technical environments. With the help of APIs, agencies can bring application-based information together to support their objectives.
U.S. government agencies are now encouraged to adopt a Zero Trust security architecture to detect and defend against cyber attacks. API protection is a core principle to implement Zero Trust architecture. As Gartner® said in its Innovation Insight for API Protection report, “By 2026, 40% of organizations will select their web application and API protection provider based on advanced API protections, and web application security features — up from less than 15% this year”.
Our post walks you through how Google Cloud’s Apigee can help build API protections with Zero Trust principles.
How Apigee helps government adopt a Zero Trust architectureApigee is a full lifecycle API management platform that helps government security leaders adopt a platform approach to managing APIs securely. Agencies can start their Zero Trust architecture journey with Google Cloud's Web and API Protection (WAAP) as shown in Figure 1. WAAP uses Cloud Armor, reCAPTCHA Enterprise and Apigee to protect government websites, mitigate bots and fraud risk for immediate results and help mature security practices. Apigee, with its out-of-the-box policies for security, traffic management, visibility, automation and governance integrates the key pillars required for Zero Trust compliant Architecture.
Figure 1 : High-level architecture of Google Cloud Web and API Protection
Features of Apigee Zero Trust solution
A high-level reference architecture of Apigee’s capabilities as policy administration and enforcement point while seamlessly integrating with web application firewalls, consumer behavior/intent-based trust algorithms, IAM, analytics, logging, and monitoring systems is shown in Figure 2. This architecture provides the foundation for improving system observability to mature the Zero Trust architecture incrementally based on access data telemetry.
Figure 2 : NIST 800-207 use cases, Enterprise with contract workforce and multiple cloud providers, secured with Apigee as policy administration and enforcement point to enforce Zero Trust architecture
Multi-cloud API gateway: Apigee is a cloud-hosted Policy Configuration and Enforcement point mitigating the enforcement engine resiliency risks and can manage consistent control of APIs in any public or private cloud environment. Apigee provides advanced cloud first authentication and authorization of resources with out of the box policies to enforce OIDC, Oauth 2.0, SAML, and JWT’s enforcing SSO, MFA, Context Aware Access Policies and Passwordless access features.
Automated threat protection: Apigee’s Advanced API Security can identify misconfigured APIs, detect bots, provide a security score, protection recommendation and automate the security healing for an API environment. Advanced API Security uses specific API traffic patterns which represent any unusual traffic, such as a large number of calls from a single IP address, defending from DDoS and OWASP Top 10 threats.
Seamless integration: Apigee provides advanced threat protection through its ability to integrate with trust algorithms like reCAPTCHA to detect malicious consumer behavior but also with a WAF like Cloud Armor to protect against OWASP Top 10 attacks.
Identity and Access Management (IAM): Apigee integrates with existing identity providers, such as Google Cloud Identity, Okta, or Active Directory to simplify identity management and can enforce advanced security policies in alliance with ICAM systems like Multi Factor Authentication, Privileged Access, Identity Federation, Behavioural Pattern Detection, Biometric Signal Processing and building a continuous and contextual authentication and authorization environment for APIs implementing time bound access using Oauth 2.0, JWT or SAML tokens.
Analytics and monitoring: Apigee Analytics provides a unified view of API performance and security, enabling organizations to monitor and optimize their APIs in real-time. This includes deep insights into API usage, performance, and security. Apigee can also seamlessly integrate with various SIEM systems like Google’s Chronicle.
Governance, compliance, and auditing: Apigee's API hub enables you to consolidate and organize information on all APIs in your organization. It includes APIs at all stages of their lifecycle, from design and implementation through deprecation and retirement to proliferate consistent design standards and governance checks.
Take the next step
Apigee provides a platform-based approach to implementing mission lifecycle management through Secure API Management. Our approach includes offering capabilities to address time-bound access provisioning and termination, unlocking data while protecting sovereignty, and providing automation and deeper visibility into the governance of enterprise resources, all of which can help promote Zero Trust architecture maturity.
Get started with Apigee on Google Cloud by exploring the best practices for securing your APIs and Applications. Take your next step to start a free trial, explore pricing, or contact Apigee Sales to help evaluate your API Management use cases.