Security blanket: Our digital lives are only secure if our APIs are secure. Here's how Equinix is doing just that.

Every second of every day, Equinix serves an average of 25,500 gigabits of data through 435,000 interconnections at its nearly 250 data centers around the globe. These vast flows of information operate nonstop to support a wide range of essential services, such as the lifesaving work of hospitals and first responders, powering global financial markets, or managing food and pharmaceutical production. The data centers this data flows through play an increasingly central role in more daily tasks, too, whether that’s hybrid work, ordering takeout, shopping for clothes and toiletries, or sending a funny meme to someone you love.  

Without this digital infrastructure, our lives, as we’ve come to know them, would be drastically different. And yet most of these critically important workloads — our digital production lines — are almost entirely automated, with light human touch from a suite of APIs built by Equinix and Google Cloud. 

It’s impossible not to automate them, really. If so much work had to be done manually, or with close human monitoring, most of it would come to a screeching halt, along with pretty much any kind of future innovation.

“As most every business has grown by leaps and bounds digitally the past few years, we’ve grown alongside them, reaching a scale that’s truly monumental,” Yun Freund, the senior vice president for platform and product at Equinix, said. “At these scales, manual processes become virtually impossible because of the volume of API releases and updates both Equinix and our tens of thousands of customers are doing.”

An API, or application programming interface, is one of the key ways devices, servers, and systems communicate today. Now if each of Equinix’s API releases, and the individual APIs on which they run, are viewed as an access point, as a doorway to these businesses, then that becomes a lot of doors to be locked to all but those with the proper keys and credentials. 

Turns out that many of those doors aren’t being sufficiently guarded at a lot of organizations: Among more than 500 recently surveyed by Google Cloud, roughly half said they had experienced an API-related breach in the past year, while 53% said they delayed the rollout of a project because of concerns over API security. And a separate report by Fugue.co found that among the organizations it surveyed who had suffered a security breach, APIs were the leading point of attack.

And so, just as APIs have become an engine for Equinix’s growth as a data partner and provider, API security has become Equinix’s shield to ensure the defense of its growing domain. Basically, it takes an automated and managed security approach to protect an automated and managed product platform.

After all, you become a pretty tantalizing target when your business is connecting and orchestrating the digital business of more than 10,000 other businesses.

“If building and maintaining our API platform is job one,” Freund said, “then API security is job zero. Our APIs are only as useful as they are secure.”

APIs take hold, as does the need to secure them

Equinix was founded in 1998, just as the internet was taking off yet few businesses were actually online (Google was incorporated a few months later). The idea was to colocate servers so networks could more quickly, stably, and securely communicate — Equinix is a portmanteau of “equal, neutral internet exchange” — and as dramatically as digital businesses have grown and shifted over the past quarter century, the company’s mission has remained the same.

In the intervening years, Equnix shifted to a network built on APIs because of the basic efficiency and security an API’s standardized controls offer. This enables a company like Equinix to share the tools and data of its products, such as Equinix Fabric (connecting hybrid multicloud environments), Equinix Metal (high-performance “infrastructure as a service”), and Network Edge (virtual network services on-demand) — while maintaining a defined level of control and security between its products and the user-customers. Last decade, Equinix began working with Google Cloud’s Apigee as the platform for running these APIs.

“It’s all about speed and performance balanced with security,” Freund said. “When things go to either extreme, either too fast or too controlled, you have to dial it back and find the right balance. Automation can help with that.”

The security layer afforded by API platforms like Apigee is a big part of what makes them such a compelling solution for enterprises large and small. L’Oréal is building an entire “beautytech” ecosystem, for example, by letting other startups and companies access its tools and programs, such as virtual try-ons and wellness analyzers.

Common API development mistakes — such as excessive data exposure, misconfiguration, broken authentication, a lack of rate limiting and metering (throttling of bad traffic), and no bot detection or management — are leaving businesses vulnerable to attack, according to Amit Zavery, vice president and head of platform at Google Cloud. “Ease of access should not come at the cost of security and visibility,” Zavery said. 

When those values are compromised, it can indeed be costly. In 2021, a record 1,862 data breaches in the United States occurred, according to Statista, affecting almost 300 million individuals around the world. That was around 70% more than in 2020 and 2021, and 24% above 2017, which had the previous record for 1,506 breaches. IBM estimates that the average U.S. data breach cost companies $9.44 million.

“With so many businesses relying on us, and so much commerce, security becomes not just necessary — it’s a necessity,” Freund said.

Such concerns helped spur Equinix to take its security to the next level, becoming a pilot partner for Apigee’s Advanced API Security features.

Hunting misconfigured APIs to shoot down loopholes

Advanced API Security offers two key features: detection of automated bot attacks; and identifying misconfigured, and thus vulnerable, APIs. As far back as 2017, Gartner predicted that by this year, API abuses would be the top vector of attack for bad actors. 

The most common entry point, according to Google Cloud’s research, is misconfigured APIs, involved in 40% of breaches, followed by outdated APIs and data, which were also a factor in 35% of breach. When there’s potentially millions of developers and technicians at tens of thousands of companies accessing your network through those APIs, the potential for misconfigurations becomes considerable.

Take, for example, unencrypted communication or insecure HTTP headers on a page. These mistaken practices can introduce vulnerabilities that can ultimately weaken the entire system if accessed by the wrong parties before they are addressed. 

The same way Apigee regularly scans for proper credentialing and access of APIs when properly used, the platform’s Advanced API Security tools can now actively monitor for misconfigurations, shifting from the passive monitoring Apigee does so well to active alerts. These will guide teams on how to reconfigure the API to help close the breach.

“A single pane of glass, a single dashboard, is so helpful to being able to spot and manage any incidents, or the potential for incidents,” Freund said.

On the lookout for bots

And then there is the increasingly common and familiar threat: bots, which are involved in around 30% of attacks (some attacks involve a combination of bots, misconfigurations, and outdated materials).

“Bots are relentless,” Google Cloud’s Zavery said. “They don’t fatigue, and they can retool their attacks to overcome many common defense mechanisms, which puts security teams under pressure and draws on resources.” 

With bot management in Apigree’s Advanced API Security, the system can proactively disrupt the disruption — relieving the stress of reactive responses and allowing Equinix and others to regain control faster. By proactively managing bot activity (there are helpful bots that you don’t want to block), organizations can keep harmful bots away while letting the good ones through, not to mention all the humans working just as much on the network. 

Furthermore, because of the sheer scale of bot attacks, detection and prevention is a massive undertaking. By employing AI for monitoring, Apigee can offer greater speed and responsiveness in these moments of crisis — and even potentially prevent them. 

Through prediction analysis and anomaly detection, Apigee can prevent bigger issues from occurring by flagging concerns in advance. This Equinix and other Apigee users maintain their security posture without slowing down innovation. And because the AI is constantly watching, learning, and improving, it can boost security over time and keep up with threats that are constantly evolving, as well.

“We use APIs to be agile,” Freund said, “and so our security has to be agile, too.” 

Securing foundations of the digital economy

While it’s incredible to look back at the past quarter century, and see just how far we have come since Equinix launched, in many ways, we are still at the early stages of the digital economy, and really the digital world.

Advances in 5G, edge computing, hyperscale clouds, and even the nascent future of quantum computing, are going to bring more sensors, more data, more connection, and more opportunity into our daily lives and livelihoods. And a good deal of that traffic will be traversing Equinix data centers.

“Like our services, our security would struggle to keep up without automation,” Freund said. “It’s a big part of being vigilant.”

That vigilance is key. To secure this brilliant future, we must first secure its foundations. That’s exactly what Equinix has set out to do.