More and more companies are relying on web applications and public APIs to deliver seamlessly integrated user experiences to their customers and partners. While APIs are helping companies boost revenue, stimulate innovation and ease integration of backend data and applications, they have also introduced new security challenges. Broken, exposed or hacked APIs have the potential to reveal sensitive medical, financial and personal data. As a result, businesses are turning to dedicated tools to help protect these assets. In fact, by 2023, over 30% of public-facing web applications will be protected by cloud web application and API protection services that combine DDoS protection, bot mitigation, API protection and web application firewalls (WAFs). This represents a 300% increase from today’s levels.1
In the current environment, businesses face gaps in protection because most of the services used today come in the form of different point solutions for different types of threats. To help businesses overcome these challenges, Google Cloud has launched Web App and API Protection (WAAP), a security solution that provides comprehensive threat protection for your web applications and APIs. Based on the same technology Google uses to protect its public-facing services against web application exploits, DDoS attacks, fraudulent bot activity, and API targeted threats, Google Cloud WAAP marks the shift from siloed to unified application protection.
As an exclusive Google Cloud WAAP launch partner, SADA is thrilled to partner with Google to bring this security solution to our customers’ mission critical projects. We’ve seen our customers benefit greatly from each component of Google Cloud WAAP, and now that it’s being offered as a packaged solution, we’ll be able to bring more comprehensive security to a broader set of clients much faster.
Here are 3 reasons why businesses should leverage Google Cloud WAAP to protect their applications and APIs against threats and fraud:
1. Google Cloud WAAP is a comprehensive solution that offers increased protection
To help organizations protect against new and existing threats while keeping apps and APIs compliant and continuously available, Google Cloud WAAP combines three leading products to provide comprehensive protection: Cloud Armor, reCAPTCHA Enterprise and Apigee Hybrid—all from Google Cloud.
Google Cloud Armor: Part of Google Cloud’s global load balancing infrastructure, Google Cloud Armor provides WAF and anti-DDoS capabilities, protecting applications against the OWASP Top 10, sophisticated application exploits and both volumetric and layer 7 (L7) availability attacks.
Apigee: Google Cloud’s API management platform offers intelligent API defense by understanding the structure of API requests so it can more accurately distinguish between valid and invalid traffic. Apigee verifies API keys, generates and validates OAuth access tokens, rate limits traffic, enforces quotas and provides analytics on API trends.
reCAPTCHA Enterprise: Using an adaptive risk analysis engine to keep automated software from engaging in abusive activities on your site, reCAPTCHA Enterprise provides transparent protection from fraudulent activity, spam and abuse like scraping, credential stuffing, automated account creation and exploits from automated bots.
2. Google Cloud WAAP simplifies operations
Assembling a comprehensive solution to prevent app fraud and abuse has been a challenge for businesses. Organizations have had to settle on different point solutions for each of the various types of threats, resulting in too many point products and vendors to manage and gaps in protection. In addition, many of these products are still built for an on-prem world.
Google Cloud WAAP addresses these issues by reducing the number of vendors you need to work with to protect your apps. It also allows you to leverage integrations with existing Google Cloud management tools and supports modern and legacy deployments, enabling you to protect apps in Google Cloud, other public clouds, on-premises or hybrid deployments.
3. Google Cloud WAAP reduces costs
Having to utilize multiple vendors and point products for different types of threats results in
higher acquisition and operational costs. With Google Cloud WAAP, you benefit from bundle pricing, potentially saving you 50-70% over competing solutions.
How businesses are using WAAP to address their security needs
Let’s dive into two scenarios that showcase how organizations are using Google Cloud’s WAAP solution to protect web applications and APIs:
A bank balances its security requirements with ease of use
When launching a new microservices based payment app, a bank needs to address some security issues. Due to the architecture of the application, it exposes several APIs which need to be protected. The identity management team, fraud team, and governance, risk and compliance (GRC) team are all involved and have different priorities that need to be balanced.
|Google Cloud WAAP Implementation
|The identity management team wants to guarantee that only legitimate users are able to log into the app
|Use Apigee to manage authentication between their applications with JSON Web Tokens (JWT), while also protecting their APIs and the entire site from DDoS attacks.
|The fraud team wants to ensure only real/valid users are able to login and complete transactions. Any fraudulent transactions need to be flagged as part of their fraud detection and mitigation process.
|Utilize reCATPCHA Enterprise’s advanced bot detection techniques to tell humans and bots apart.
|The GRC team requires a WAF to be in place without the added overhead cost of managing all the WAF rules.
|Use Cloud Armor as a WAF and use its managed protection capabilities to preconfigure the WAF rules.
As you can see, by using one solution and one vendor, Google Cloud WAAP, the different teams at the bank are able to collaborate closely to meet their security requirements.
An airline manages OWASP Top 10 Web Application Security Risks
An airline is in need of a solution to protect its reservation website from OWASP Top 10 Web Application Security Risks. One of the airline’s top priorities is to prevent attackers from using leaked or stolen email addresses and passwords to gain unauthorized access (credential stuffing). Since the airline’s APIs are used by 3rd-party travel sites for making reservations, it also needs the ability to manage authentication and authorization of their public APIs.
Using the Google Cloud WAAP solution, the airline implements Cloud Armor as a WAF, Apigee as the API management layer and reCAPTCHA Enterprise to defend against credential stuffing. As the workflow below shows, for all requests being made to the airline’s reservation website, the WAAP solution is the first point of contact, detecting and mitigating bad actors at the edge before the request even reaches the airline’s backend.
1 Gartner, Defining Cloud Web Application and API Protection Services, Jeremy D’Hoinne and Adam Hils, Refreshed 20 May 2020.