The Cequence Unified API Protection platform is a comprehensive solution that protects APIs from a wide range of threats, including data loss, fraud, and business disruption. It does this by providing continuous, real-time protection across all phases of the API lifecycle, from discovery and inventory to risk assessment and mitigation.
The Cequence Unified API Protection solution is comprised of three main modules:
-
API Spyder: With API Spyder, you can quickly discover and understand your external API attack surface including your public-facing API hosts, the environments those hosts are in, and vulnerabilities related to weak TLS certificates with those API hosts. Deploying API Spyder does not require installing any software or configuration changes in your environment. API Spyder is offered as a SaaS service that probes your root-level domain (for example, exampledomain.com) from the outside. You can sign up for it today at https://apispyder.cequence.ai . Discovering the public API attack surface is often the first crucial step in any organization's API security program to understand the overall sprawl of APIs across the organization.
-
API Sentinel: This module provides comprehensive internal, external and 3rd party API discovery and inventory, enabling you to understand and address API risks both before and after deployment. This step provides you with API security posture management, allowing you to identify and track API vulnerabilities, assess their severity, and implement timely remediation measures to eliminate coding errors that could lead to data breaches or business disruptions. Cequence can be integrated with content-delivery networks (CDN), API gateways, load balancers, and other public-facing deployments to discover external facing APIs. Cequence can also be integrated with microservices ingress gateways, external Berkeley Packet Filter (eBPF), traffic mirroring, and other internal-facing deployments to discover internal APIs. Finally, Cequence can help you discover 3rd party APIs that may be consumed by your internal applications by integrating with outbound connectivity via firewalls, web proxies, as well as via eBPF sensing.
Cequence's Spyder and Sentinel modules together provide comprehensive API discovery in your environment. Read more about Cequence's two-phased discovery process.
- API Spartan: This module detects active malicious or unwanted usage of your APIs by analyzing API usage and helps defend against it by blocking, rate-limiting and taking other types of action on targeted attacks, business logic abuse, and fraud. It uses detection of malicious infrastructures accessing your public-facing applications, malicious usage of credentials or tokens (such as in a credential stuffing attack), usage of malicious tools such as automated toolkits and botnets to access your applications, as well as malicious behavioral patterns. Policies can be defined using this module to actively block, rate-limit, insert a header, or take other forms of action on bad traffic.
Deployment
Cequence Unified API Protection follows a hub-and-spoke deployment model that centralizes API management and security controls in a central hub, while spokes handle distributed API traffic. This architecture is designed to address the challenges of securing a large number of APIs spread across multiple locations.
Deployment Components
The UAP Platform runs at the hub, performing continuous, multi-dimensional analysis of all API transactions using a fast and efficient single-pass architecture.
The spokes are the data data-plane components and are deployed anywhere in the path of API transactions, all the way from the CDN to a side-car in the application pod. These components come in a variety of flavors.
-
Cequence Defender: Defender, a reverse proxy, is deployed directly in the path of an organization's API traffic. This active deployment approach mandates that all API requests must pass through Defender, enabling it to enforce API policies, filter out malicious traffic, and provide real-time threat detection and mitigation. While active deployment offers the most comprehensive API protection, it can introduce some latency into API requests. Cequence has optimized the Defender to add minimal latency in most inline deployments, typically no more than 8-10 milliseconds per request+response transaction. Defender is typically used to integrate with other inline components, such as API gateway proxies, CDNs, load balancers and web proxies.
-
Cequence Sensor: Cequence's Sensor is passive and is deployed out-of-band, meaning that it does not interfere with API traffic. Instead, it monitors API traffic and collects data that can be used to identify and mitigate threats. Passive deployment is less effective at threat protection than active deployment, but it does not add any latency to API requests. Sensor is typically used to integrate with passive technologies, such as traffic mirroring and TAP/SPAN ports.
-
Cequence Bridge: The Cequence Bridge aggregates traffic from multiple sources and sends that traffic to the Cequence UAP platform. Cequence Bridge is included by default within the Sensor and Defender. When you deploy Cequence Sensor or Cequence Defender, you do not also need to deploy Cequence Bridge. Cequence Bridge is particularly useful when integrating with API Gateway plugins, such as the MuleSoft policy plugin, or the Apigee Shared Flow. These integrations cannot perform sensitive data masking themselves. Cequence Bridge masks this data before sending the data to the Cequence UAP platform.
-
Cequence eBPF Sensor: The Cequence eBPF sensor is a specialized sensor that uses eBPF (Extended Berkeley Packet Filter) technology to integrate with applications. The Cequence eBPF sensor also includes Cequence Bridge functionality by default.
- Third-Party Native Integrations: Cequence can natively integrate with a wide range of CDNs, Load Balancers, Ingress Controllers and API Gateways as a side-band callout mechanism to provide an alternative to Sensor based deployment.
The best deployment option for you will depend on your organization's specific needs and requirements. If you need the most comprehensive protection for your APIs, the Defender based active deployment is the best option. However, if you are concerned about latency, then passive deployments like Sensor and Third-Party Native integrations may be a better choice.
Deployment Options
Cequence offers a variety of deployment options for its API security solutions to accommodate different organizational requirements and infrastructure setups.
UAP Platform
- SaaS (Software as a Service): In a SaaS deployment, UAP is hosted and managed by Cequence itself, eliminating the need for organizations to install and maintain hardware or software on their premises. This option is ideal for organizations that prefer a cloud-based solution with minimal upfront investment and ongoing maintenance responsibilities. SaaS deployment also provides scalability and flexibility, allowing organizations to easily adjust their service levels based on changing needs.
- On-Premises (Self-Install): For organizations that require greater control over their infrastructure and data or have specific regulatory compliance requirements, on-premises deployment is a suitable option. In this model, UAP is installed and managed within the organization's own data center or cloud environment. This approach provides greater customization and control over the deployment and configuration of the security solution. However, it also requires the organization to allocate resources for hardware, software maintenance, and ongoing support. Quickly get started with a UAP Virtual Appliance at Getting Started - UAP Virtual Appliance
- Hybrid: In a hybrid deployment, Cequence manages the UAP platform as SaaS and the traffic sources (the Cequence Defender or Cequence Sensor components) send traffic to the Cequence UAP platform from an environment you manage. A hybrid deployment enables you to send traffic from multiple Defender or Sensor instances to the same Cequence UAP platform instance.
Defender
- SaaS (Software as a Service): In a SaaS deployment, Defender is hosted and managed by Cequence itself, eliminating the need for organizations to install and maintain hardware or software on their premises. The Defender's are available as a public edge for API clients or as a hop or upstream in the path of API transaction.
- On-Premises (Self-Install): This is suitable for environments where the APIs are deeply rooted in customer environments and are not publicly facing. Quickly get started with a Defender Virtual Appliance at Getting Started - Defender Virtual Appliance
Sensor
- SaaS (Software as a Service): This option is not applicable for most customer deployments.
- On-Premises (Self-Install): This is suitable for environments where the APIs are deeply rooted in customer environments and integrates with customers' TAPs where it can get a copy of the API transaction. Quickly get started with Sensor Virtual Appliance at Getting Started -Sensor Virtual Appliance
Third-Party Native Integrations
Cequence can integrate with most third-party SaaS or on-premises API Gateways, CDNs, Load-balancers using a drop-in, native integration.