During Google Cloud Next, Google announced the preview release of shadow API detection in Advanced API Security, part of the Apigee API Management solution. This managed API Broker service in the Google Cloud allows users to design, secure, deploy, monitor, and analyze APIs.
Apigee's advanced API Security capability proactively identifies misconfigured APIs and detects malicious bot and business logic attacks. Nils Swart, a group product manager at Google Cloud, and Shelly Hershkovitz, a product manager at Google Cloud, write in a Google blog post:
Previously, this protection was only available for actively managed APIs. Now, with the ability to discover shadow APIs in Advanced API Security, you can eliminate hard-to-find blind spots and close security gaps.
Overview of Advanced API Security (Source: Google Documentation Apigee)
Shadow APIs are not under a company's control but are used by developers to save time on repetitive tasks, become less dependent on other teams, or fill a gap in the organization's existing approved APIs. Although developers may have good intentions, these unregulated APIs can pose serious vulnerabilities when allowed to function freely within the organization's software environment.
The company has recently integrated Advanced API Security with Google Cloud regional external Application Load Balancers. This integration allows for the precise identification of API traffic within specific regions, which helps to ensure compliance and meet performance requirements. The capability can extract key API details such as endpoints, platforms, protocols, parameters, and responses by analyzing requests and responses within the load balancers. This information offers accessible insights into API operations, activities, and recent updates through a provided user interface.
Detailed information on shadow API endpoints associated with your load balancer (Source: Google blog post)
Other cloud providers like AWS and Microsoft offer API management services like Apigee API Management and similar features. With regards to Shadows APIs:
- AWS API Gateway integrates with AWS Web Application Firewall (WAF), which can provide a similar level of security in protecting against unauthorized and malicious API requests. Although it does not natively have a "Shadow API detection" feature, its combination of WAF and detailed logging and monitoring through AWS CloudWatch and AWS X-Ray can indirectly help identify and manage shadow APIs.
- Azure API Management service features include Gateway-level threat protection, which can be used to identify potentially malicious activities that may involve shadow APIs. It also offers detailed analytics and logging, which can help track undocumented APIs.
Dan Mearls, a director of sales Apigee Enterprise at Google, posted on LinkedIn:
Shadow APIs pose significant business risks due to their frequent lack of robust security measures like authentication and authorization protocols. This makes them vulnerable targets for hackers, increasing the likelihood of data breaches and sensitive information leaks. Additionally, shadow APIs might bypass established data handling protocols, potentially leading to violations of data privacy regulations like GDPR or CCPA, resulting in substantial fines and severe damage to an organization's reputation.
Lastly, the documentation for getting started provides more details on Advanced API security.