Enterprises are operating on computer networks that operably interconnect computing devices to support and manage business needs, provide resources, deliver services, and provide interactive web services. The security of an enterprise's data and network resources is of high priority in many circumstances, especially when public Internet users access data or web services via application programming interfaces (APIs) within the enterprise network. However, APIs are currently a driving force in the expansion of data management, web services, and private cloud network systems that the business demand for maintaining useful APIs is too high to ignore. As such, enterprises are having to increase their security and monitoring of their networks.
APIs are software methods to allow machine-to-machine communication. APIs can enable arbitrary operations on computers, examples range from accessing data through under-authenticated APIs, to creating user accounts, to stealing personally identifiable information, protected health information, or protected financial data, to taking other actions.
Some of those operations might be considered legitimate while others considered not legitimate. For example, consider a brokerage website that provides an API to its customers to provide stock quote updates for stocks held by those customers. Having a customer's smartphone make API calls hourly to grab updates for stocks held by that customer might be considered legitimate, whereas making API calls every half second to download all stocks traded on an exchange might not be considered a legitimate use of the API. Likewise, API calls to get one's own bank balance might be considered legitimate, whereas making API calls to try and access someone else's bank balance might not be considered legitimate.
Typically, enterprises deploy private cloud-based computer networks inside their networks and behind their firewalls. Such entities generally have strict policies on what data is allowed to exit their network and may even have different clouds for different purposes. Despite such policies, many large organizations intentionally, unintentionally, knowingly, and unknowingly expose APIs to the Internet public.
APIs can be unintentionally exposed and allow for potentially undesirable use of corporate resources, and security teams have little visibility and less control over what APIs teams inside of their organization make available. Because APIs allow direct instruction of machines and often in ways that the organization's department may not be aware of, security teams have a major challenge in controlling API access from outside of an organization or between two portions of an organization (as might be used to detect examples of compromised endpoints or compromised services inside the organization).
Therefore, it would be desirable to increase the ability for enterprise security teams and management to maintain closer control and monitoring of their enterprise web services in a way that makes it manageable and cost effective for security teams to monitor and modify the API/web service permissions, requests, and responses.