18 Jun 2023
Google undertook a massive effort to pass the ownership and permissions of the data APIs carry to authorize access to data at every API. Here's how you can achieve a similar benefit with Caber without disruptive changes to existing API structures or applications.
Application Programming Interfaces (APIs) today are the conduit for data between and inside modern applications. However, with the complex network of loosely-coupled APIs and the continuous pace of changes introduced by CI/CD workflows, the securing applications is increasingly challenging.
The primary purpose of application security is twofold: controlling where application data can go and managing who can access it. The first aspect is a question of data integrity and confidentiality, ensuring that sensitive information doesn't fall into the wrong hands or is not altered during transmission. The second aspect is a matter of data accessibility, establishing user permissions to regulate who can view, modify, or distribute the data. These are the core tenets that drive security mechanisms in modern applications.
Implementing these principles consistently in an ever-changing environment is a daunting task. The dynamics of modern application architecture, with their sprawling ecosystem of interconnected services, have made it significantly more difficult to maintain a stable security stance. Given these challenges, Google's security initiatives, Zanzibar and BeyondProd, offer revolutionary solutions that tackle API security in a novel way.
Zanzibar, aptly dubbed "The Google-Wide Authorization System," revolutionizes traditional authorization methods. Instead of depending on the specific parameters of APIs, Zanzibar incorporates ownership data directly into the data packets being transmitted. By tying authorization to the data itself, it ensures that data ownership remains constant, regardless of API changes or data pathways.
Meanwhile, BeyondProd introduces a profound shift in the approach to network security. It places stringent requirements on every user interaction, data piece, and service, establishing a network-wide, defense-in-depth security model. By focusing on data, rather than how it moves through the network, BeyondProd ensures a steady state of security, irrespective of changes in the API environment.
While both Zanzibar and BeyondProd present an ingenious paradigm for securing data, their broad-scale implementation may be impractical for many enterprises. The requisite modifications in every API to integrate these security models can be a major undertaking, potentially disrupting existing workflows and incurring significant costs.
Enter Caber Continuous Authorization/Continuous Ownership (Caber CA/CO), a system that captures the essence of Google's security principles without requiring extensive API modifications. Caber CA/CO ties data within APIs to its ownership and permissions at rest, enabling real-time, continuous authorization.
By monitoring API calls and using the information obtained from data ownership and permissions, Caber CA/CO makes immediate authorization decisions based on the data itself. This mirrors the advanced principles of Zanzibar and BeyondProd, enabling the same level of data-centric security in a more accessible, less disruptive manner.
In a rapidly evolving API landscape, maintaining consistent authorization and data security is a formidable challenge. While the principles behind Google's Zanzibar and BeyondProd offer compelling solutions, their wide-scale deployment may not be practical for many enterprises.
Fortunately, Caber CA/CO provides a viable alternative. It delivers the benefits of a robust, real-time, data-centric security model, reminiscent of Google's pioneering initiatives, but without the need for extensive API modifications. By focusing on data, ensuring continuous authorization, and adapting to the fast-paced world of APIs, Caber CA/CO emerges as an ideal solution to modern API security
With the proliferation of APIs and the continuous evolution of the software landscape, it's evident that traditional security models may fall short. Solutions like Zanzibar, BeyondProd, and Caber CA/CO provide a glimpse of the future of data security. They embody an approach that transcends the stability of APIs, focusing instead on the data itself—our most valuable digital asset.