Challenge

Digital transformation initiatives have increased the access to more and more data and resources, which has broadened attack vectors. In large, the access to the data or digital asset is done through API calls, typically managed by an API Gateway. For that reason, API Access control is a crucial piece of any API security strategy, and indeed 4 out of the top 5 security risks described in the OWASP API security top 10 list are now identity-related.

The PlainID Authorization Platform

PlainID’s Authorization Platform provide ready-to-use capabilities to define API access policies and enforce them through the API Gateway (North-South traffic), ultilzing Identity so authorization decisions are not based on just the system account.

Read more

PlainID Authorizers for API Gateways

PlainID Authorizers are ready-to-use integrations for specific API Gateways to control authorization on a target destination. Such Authorizers include AWS API Gateway Authorizer, apigee Authorizer and Kong Authorizer.

Architecture flow

  • User login to the application
  • The application sends an Authentication request to the Identity Provider (IdP)
  • The application sends API calls that are directed through the API Gateway in order to access different services.
  • PlainID’s Authorizer (implemented as a plugin in the API GW) receives the request and makes a dynamic access decision in real-time, based on the policies.
    The decision can be:

    • Permit or deny the transaction
    • Authorizers for data gateways
    • Permit the transaction with a token exchange or token enrichment for additional identity-aware context and policy decisions
  • The API call is passed on to the service layer