Private individuals and businesses increasingly rely on network interconnectivity to conduct their business and transfer more and more data over the Internet. In a typical enterprise setting, service components of an enterprise application (commonly referred to as an “App”) communicate over a data network. The data input/output and instructions to perform a specific business function are collectively called application network transactions, and such transactions often contain business information and user identities of a sensitive and private nature. Consequently, network security to prevent unauthorized access to sensitive data contained in these application transactions is becoming increasingly important.
To ensure network security, enterprise settings have traditionally used Deep Packet Inspection (DPI) devices. These devices are sometimes used for Intrusion Detection and Prevention (IDS/IPS) and sometimes used as a Web Application Firewall (WAF), but in either case they rely on what is called a protocol specification to interpret transactions on a network. For example, firewalls such as Palo Alto Network's “Next Gen” firewall leverages frequently updated patterns in the network flow to identify application traffic in support of features like “App ID,” which attempts to identify the category of applications traversing a network. While these implementations of network packet inspection may provide support to basic standard protocols such as HTTP and HTTP-based applications, existing WAF's and other application protection mechanisms are quickly becoming inadequate as hacking of applications becomes more sophisticated, often masking instructions made over the networks to appear as legitimate instructions to any conventional network security monitors.
Additionally, enterprise applications continue to expand into the cloud environment, where conventional network security monitors lack the capability to provide sufficient visibility. Most conventional network security monitors are unable to provide fine grain security control at the application programming interface (API) level unless a machine-readable definition of the API is available. Sometimes an application developer will provide this definition, but more often than not a system administrator must perform an analysis of the application transaction before the application API can be properly classified. Classifying the application API can be difficult for system administrators as the application is often changed or updated before the classification can be completed. Since conventional network security monitors are not capable of handling changing application APIs, some enterprises have decided to rely on API security tools built into the application code itself.
Although API security tools built into the application code benefit from full access to the application, and are fairly effective in monitoring application transactions internally, these embedded tools are often unwieldy and difficult to deploy, requiring certain custom libraries to be integrated into the application, limiting the developer's flexibility in choosing the platform that fits their needs. In an enterprise setting, application development and security operation generally are and should be separated, to ensure that application developers select the best tools and programming languages to optimize an application. Otherwise, the demands of security operations could stunt the growth of an application in its development process.
Last but not least, while traditional application architecture uses a monolithic application architecture including only a single front-end interface, emerging enterprise application architecture increasingly applies a hybrid model including microservice architectures and legacy applications. Modern advance enterprise application architecture often puts emphasis on a network or a mesh of application instances rather than relying on a few static application service hosts. As built-in application monitors are not effective in monitoring inter-instance communications, application solutions built-in to the code or the platform are becoming obsolete in a modern enterprise application architecture.
Additionally, conventional network monitors follow a set of predefined rules that, once loaded, do not change in operation, further slowing the development process.