News, news analysis, and commentary on the latest trends in cybersecurity technology.

10 Ways a Digital Shield Protects Apps and APIs

Layers of protection can bring defense-in-depth practices to distributed clouds and other modern network architectures.

Joshua Goldfarb, Global Solutions Architect — Security

May 17, 2024

5 Min Read
digital shield in a man's hand
Source: Sarayut Thaneerat via Alamy Stock Photo

When network architectures were simpler, so was protecting apps and application programming interfaces (APIs). They were predominantly on-premises, so defense-in-depth practices could be applied to enterprise networks. While far from perfect, this approach provided multilayer security defenses to protect apps and APIs.

As network architectures gradually became more complex, so did protecting apps and APIs. The on-premises enterprise environment gave way to a hybrid mix of on-premises, data center, and multiple cloud environments. These days, hybrid and multicloud environments are more the rule than they are the exception. They introduce complexity and challenges that make it significantly more difficult for organizations to apply defense-in-depth practices to protect apps and APIs.

While the idea of rebuilding the enterprise perimeter doesn't make much sense in the current state, perhaps there is another way to bring requisite protections to apps and APIs. What if organizations could open an umbrella — a digital shield, if you will — around their hybrid and multicloud environments? This would allow them to add layers of protections that would, at least logically speaking, bring defense-in-depth practices to modern network architectures.

What are some of the essential elements and functionality of a digital shield? I'll explain 10 of them here.

1. Standardized Communication

The first step in protecting apps and APIs is standardization across different environments. This doesn't mean that all environments need to be homogeneous, of course. Rather, it means that all environments need a common, central management interface. There also needs to be a straightforward way to understand what environments exist, where they are, how they are connected, and what is running inside of them.

2. Uniform Policy

The ability to uniformly apply and enforce security policy is another important step in protecting apps and APIs. Attackers are always on the lookout for the weakest link. When there is inconsistency in how environments are managed or a large amount of manual labor involved in managing those environments, that opens up holes that attackers can exploit. One of the top benefits of security policy standardization is the ability to reduce the number of weaknesses and points of failure that attackers can leverage.

3. Proper Visibility

Just like when networks were largely on-premises, telemetry and other data requisite for visibility reign supreme — even in modern network architectures. Continuous security monitoring is driven, first and foremost, by visibility. Without the ability to see traffic to and from apps and APIs across all environments, security teams don't have the ability to monitor their environments for potential security and fraud issues.

4. Reliable Alerting

While visibility is extremely important, it needs to be properly leveraged to create and sustain reliable alerting across hybrid and multicloud environments. This means identifying critical assets and key resources and creating incisive alerting that cues the security team to unusual, suspicious, or malicious activity. For alerting to be considered reliable, it must have low false-positive rates and high true-positive detection rates. This allows an organization to hone its detection and response capabilities — without burying itself in noise.

5. Response Capability

When a security incident is identified, the proper incident response needs to be triggered. This requires not only proper visibility across hybrid and multicloud environments, but also the ability to query, analyze, and interrogate telemetry data from those environments. This is easier said than done, of course, and is an important part of any digital shield.

6. Good Governance

Managing the life cycle of apps and APIs is also an important, yet sometimes neglected, part of securing them. Having apps and APIs inventoried, managed, controlled, versioned, compliant with schema, processing input and output as expected, and adherent to change control procedures makes them less prone to vulnerabilities being introduced during the software development life cycle (SDLC). Proper governance is an all too often overlooked component to protecting apps and APIs, requiring the capabilities that a digital shield provides.

7. Central Controls

Preventive and detective controls work collaboratively to help secure apps and APIs. Preventive controls help secure environments against attacks they face. But because preventive controls are never 100% effective, detective controls augment preventive controls by alerting security teams when security incidents occur. Managing this symbiotic relationship across multiple environments can be extremely complex and difficult without a centralized management capability.

8. Vendor Agnosticism

Getting locked into cloud providers and the array of technologies and solutions they offer is never fun. Part of the appeal of a digital shield is that, in addition to providing an added layer of protection, it acts as a logical overlay to different cloud environments. This allows organizations to leverage available capabilities via one common interface, rather than needing to develop vendor-specific and vendor-dependent capabilities in each and every cloud environment.

9. Defense-in-Depth

Defense in depth and multilayer security are nothing new. They are fundamentally simple in theory yet difficult to implement in practice. The idea of having multiple layers of protection around apps and APIs to avoid single points of failure and weakness makes sense logically. Managing this approach, however, without a digital shield capability is a difficult undertaking due to the complexity of modern network architectures.

10. Simplified Operations

Maximizing the capabilities of defensive technologies is difficult unless operating them is relatively straightforward. Simplified operations require many components. Among them are executive dashboards to convey value to executives and the board; the ability to easily manage, maintain, administer, and secure infrastructure, apps, and APIs; the ability to uniformly and universally apply policy; and the ability to analyze and investigate events and incidents. These and other capabilities allow organizations to maximize the potential of the digital shield as a logical overlay and additional layer of defense.

Raise Your Shield

Protecting apps and APIs is an important undertaking for any organization. While the effort involves many moving parts, leveraging a digital shield as a logical overlay and added layer of defense can greatly simplify app and API security. Reducing complexity and centralizing management into one logical overlay platform can help organizations ensure that they maximize their technology investments and minimize the potential for risk, weakness, and vulnerability introduced by complexity, oversight, and human error.

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights