apidays Helsinki & North 2023 - API Security in the era of Generative AI, Matt Feigal, Google Cloud Sweden

Transcript

1. API Security in the era of Generative AI Matt Feigal

   June 6, 2023 [email protected]; mattfgl@; [email protected]
2. None

3. Apigee Partner Engineer 10 yrs @ enterprise developer / architect

   10 yrs @ Google [email protected]; mattfgl@; [email protected]

4. Generative AI’s Impact to API Ecosystem New and Exacerbated Risks

   Patterns for Success 01 02 03 Agenda 00 Hi! (It’s Me)

5. Place Image Here Generative AI - Empowering Everyone Generative AI

   is a powerful tool which will be used by all personas in the API ecosystem. Service developers, API Owners, Network Administrators, Product Owners, Data Analysts, Security Analysts... Everyone moves ‘up’ the mountain ****EXAMPLES***** ChatGPT, Google’s Bard, PaLM, LLMs, Imagen, Midjourney, DALLE-2… Codey, Copilot, AutoGPT, LangChain Novice Guru 01

6. Gen AI Use Cases in the API Ecosystem Collaborator Operations

   and Toil Service Replacement GenAI APIs • Complete Tasks via Chat, IDE, etc • Text, Code, Images, Media, Video, Slides, APIs, Documentation, … • Boilerplate, Transcoding, Monitoring, Observability, … • Last mile - Replace Services with Prompt → Data Model • New Ecosystem (and Business Model) with LLM, Data, and LLM extensions (langchain) • AIs calling your APIs? AIs calling other AIs?

7. Microservices Architectures Source: https://www.itrelease.com/2018/10/examples-and-types-of-microservices/

8. Reference Cloud Architecture API Gateway Microservices Serverless Functions Load Balancing

   Databases, Caches, Other Stores… On-Prem DC External SaaS Providers

9. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless

   Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers

10. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers

11. Reference Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers

12. Generative AI increases the need for API Management and API

    Security. APIs are the contract for machine-led creation and consumption. New and Exacerbated Risks 02
13. None

14. API misconfigurations and Bots are identified as potential two of

    the top three threats Source: https://venturebeat.com/2021/07/27/fugue-36-percent-orgs-suffered-serious-cloud-breach-in-last-year/

15. 14 Source: API Economy | Google Cloud “By 2022, API

    abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.” - Gartner, API Security: Protect your APIs from Attacks and Data Breaches, Mark O'Neill, Dionisio Zumerle, 2021 170% Apigee saw over 170% increase in abusive API traffic last year API Security Threats are Evolving and Increasing

16. ! 84% of companies saw an increase in the number

    of bot attacks over the last year (Jan ‘21) Bot Attacks Source: Forrester Consulting - State Of Online Fraud And Bot Management $24B Lost to credit card fraud by US businesses Payments Fraud ! $1T Lost to abandoned checkouts or rejected transactions 53 days spent on average fully resolving a bot attack ! API Abuse ! Account Takeover 90% Increase in 2021 alone 50% of organizations experienced an API security incident in the last 12 months 77% of organizations that experienced an API security incident delayed a rollout Web Security Threats are Evolving and Increasing

17. Your APIs need to be secured across all points of

    interaction Threat Protection Behavior Based Signature Based Payload Complexity Spikes OWASP (SQL injection, input validation, etc.) Access Controls OAuth2 API Keys Products Scopes Quota/Spike Arrest Logging Self Service & SSO IAM Integration Prov. & DeComm OpenId Connect JWT SAML Security Governance Global Policies RBAC management Data Masking Compliance: ISO, PCI-DSS, HIPAA, SOC1&2, CSA STAR Data Security TLS Two-way TLS IP Access Control Encrypted Data Store and Cache User App Developer API API team Backend

18. New Risks: Meet the Generative AI Family Good Competent Bad

    Attacker Oops Buggy

19. Reference Cloud Architecture with Gen AI On-Prem DC API Gateway

    Microservices Serverless Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice External SaaS Providers

20. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers

21. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers

22. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers

23. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers

24. Common Cloud Architecture with Gen AI API Gateway Microservices Serverless

    Functions Load Balancing Databases, Caches, Other Stores… Machine caller Machine Authored Machine Operator Machine as a microservice On-Prem DC External SaaS Providers

25. Mitigating Risks: • Paved Path for Developers • Defense in

    Depth • Shield your Generative AI • Escape Hatches • Buying Expertise 03 Emerging patterns for success

26. Place Image Here Paved Path for Developers • Easy to

    be compliant and secure • Single Path through the system • Idiomatic, Integrated Tools • Prioritize Developer Velocity (first class support for ephemeral or test APIs)

27. On-Prem DC Defense In Depth Apigee Microservices Serverless Functions Load

    Balancing Databases, Caches, Other Stores… WAF Adv API Security SWG SWG CAPTCHA External SaaS Providers

28. Shield your Generative AI • Don’t expose your ML API

    directly! • Same lessons you’ve learned shielding a database from direct API calls! • Incoming: Context engineering Prompt Engineering • Outgoing: ◦ DLP checks / IP checks ◦ Accuracy checks ◦ Brand safety checks

29. Place Image Here Escape Hatches / Fast Responses • Multi-tier

    applications have different release cadences and risk factors. • Escape Hatches are quick-twitch Policy Enforcement Points, Filters, and Shields • API Gateway/Proxy and Service Mesh are great resources for dealing with the following scenarios…

30. Specific request that exploits a vulnerability. SQL injection, parser errors,

    de/ser bugs, protocol edge cases, etc. Security Breach - such as returning too much data from one or more services across a variety of scenarios. Escape Hatches / Fast Response scenarios Poison Pill Data Exfiltration Specific requests or request volume that are targeted at overloading specific services or backends. Targeted (D)DoS Slow, sporadic, or steady requests to problematically extract data from your APIs Scraping Bots

31. The Security Space: Buying Expertise • Build, vs Buy (or

    Host) • Core to your Mission? • Expertise and Level of Investment • Cost versus Potential Cost

32. Deny list Traffic Data Models Dashboard Advanced API Security Apigee

    runtime Enforcement How Mitigation Block or mark the bot traffic depending on your needs API Traffic Data Continuously monitor billions of API calls to identify anomalies Machine Learning Models & Rules Continuously recognizing bot patterns and creating new rules Apigee Advanced API Security

33. Know when API are misconfigured or experiencing abuse. Managing API

    Security Configs Align API proxies to security standards to avoid misconfigured API proxies Recommend actions to improve the security posture

34. Bot & Abuse detection powered by ML Clustering alerts to

    reduce volume and provides the relevant context for quick resolution

35. Recap • GenAI: New Opportunities, New Risks • Machine-to-Machine APIs

    • Integrated APIM is Critical • Build Escape Hatches and Buy Expertise when appropriate

36. Thank you. Discussion & Demo at our booth today! Want

    to learn more? cloud.google.com/apigee Try Apigee for free for 60 days https://apigee.google.com/welcome Join our Partner network [email protected]; mattfgl@; [email protected]