API Sprawl Problem Turns into API Intelligence Solution for Data Management Vendor Informatica
How Traceable identifies all APIs and unique API behavior to discover and secure sensitive data flows across multiple public clouds.
Customer: A top provider in enterprise and cloud data management, Informatica helps companies transform far-flung data from raw information into innovative shared knowledge.
Challenge: Informatica needs full API discovery and protection that spans three public clouds: AWS, Microsoft Azure, and Google Cloud Platform (GCP).
Solution: Traceable provides the API discovery and risk posture management that Informatica requires, dynamically working across clouds and legacy/Kubernetes environments to reveal all APIs, the data flowing through them, and their detailed risk exposure.
60+ FTE hours saved weekly
70% greater API visibility
100k/year dollars saved by eliminating security development costs
Spans two environments and 3 cloud solutions: AWS, Azure, and GCP
Dashboard delivered ERM support 25% faster than projected
Creates a bridge between developers and security teams
Cloud Security team struggles to maintain APIs
Security leaders face increasingly complex challenges in cataloging and securing the APIs and data transmitted through multiple clouds and legacy environments. With microservices and multi-cloud complexity extending boundaries between internal and external APIs use, API sprawl contributes to even more complex requirements of securing and managing data. This introduces both API sprawl challenges and API data flow management blindness, creating risk in not only managing and securing APIs, but preventing data loss that may occur as a result of unknown and unchecked API vulnerabilities.
API discovery and API attack protection are key to not only understanding API risk and how to evaluate your attack surface – but also to understanding the scope of data usage across multiple clouds. Traceable’s API Catalog discovers all APIs, what sensitive data flows through them, and enables protection of data across multiple clouds from a variety of threats.
To solve for API sprawl, and to gain visibility into sensitive data flows, Informatica sought a consolidated API security platform to deliver API discovery and risk posture management at enterprise scale. According to Pathik Patel, Cloud Security Leader at Informatica, their security engineers needed deeper insights into API behaviors. “Moving at variable speeds, the security engineers were challenged with validating information, such as what changes have occurred in APIs, what assets we use, what data flows through those APIs, and how to immediately protect them.”
Facing the pains of managing their dynamic cloud security in an agile environment, the Informatica cloud security team developed legacy, makeshift methods using Web application firewalls (WAFs) to gain visibility into their infrastructure. However, the WAF approach was inefficient, expensive, and time-consuming.
Cloud Security Leader, Informatica
Now, we don’t have to worry about sending that data to our log management system. We can rely on Traceable to help us find API abuse and bad actors while also giving us an API catalog spanning all three of our clouds and both our environments”
Cloud Security team struggles to maintain APIs
Without an API discovery solution, visibility into their APIs was a manual process, and therefore, incomplete. Informatica had four people internally managing their WAF and API security needs, two for WAF and two for API security, each person spending roughly 50% of their time on these projects — or a combined 80 hours per week.
According to Patel, “We relied on our log management system and through that, inferred all URLs accessed and attempted to create a catalog of our APIs.” Pathik elaborated, “Next, we used basic log management rules to identify bad actors and events. Covering the OWASP Top 10 using such a Security Information and Event Management (SIEM) tool was a labor intensive, needle-in-a-haystack situation. We have huge data sets coming in, our log monitoring system records roughly one terabyte of web application logs daily. It’s a labor pit.”
Tracing down the best solution for multi cloud API Discovery and Protection
The company identified the need for a solution that would support three clouds and two environments. Patel explained, “Informatica itself is a multi-cloud company. So, we are in AWS, Azure, and Google as of today. We needed a single tool that spans all three clouds, while integrating with both our Kubernetes (K8s) environment and legacy VM based environments.”
Their initial search for a better way to solve these issues began three years ago, but their search stalled due to an immature API security market. “We started with the AWS WAF offered as a part of AWS services, but we recognized that we would still have a gap for our Azure/GCP deployment,” said Patel. They fell back into their time-consuming, onerous WAF measures as a stopgap.
Then, two years after their initial search, they decided to look again for a dedicated and combined API discovery and protection solution. They hoped to “kill two birds with a single stone. We would deploy one tool to get everything: discover all APIs, see changes to APIs, and see what data flows through them,” explained Patel.
Informatica evaluated Akamai, Radware, Imperva, Signal Sciences, and Traceable. The company determined Akamai only “informed them of external APIs and lacked detailed API intelligence,” said Patel. Imperva was an appliance based approach, and Patel found that it “is not a true SaaS experience, so we avoided that as it will add operational cost of managing appliances in our environment.” AWS and Radware only offered point solutions, such as supporting only legacy environments or Kubernetes, or existing only in AWS. “Signal Sciences offered insufficient protection, with limited WAF coverage and zero API Protection,” he said.
Traceable provides full coverage API catalog and protection across multi-cloud
The company then turned to Traceable. According to Patel, “One of the major differentiating factors in favor of Traceable was the ability to support many different environments, rather than operating as a point solution. The ease of deployment across all the clouds and all the environments was a major selling point.”
Additionally, Informatica found the level of deep insights on data flow to be a boon. “The data we got from Traceable blew our minds! It was super-detailed information about which APIs are communicating and the data flow,” he said. “What really impressed us was the ability of Traceable to crunch the data.”
Processing a large amount of data daily, Informatica suffered a high cost of infrastructure and labor. However, Traceable negates much of the cost. According to Patel, pointing the data at Traceable “nullifies and replaces our previous infrastructure and labor investment with our log management system.”
Once Informatica deployed Traceable, overhead was drastically reduced, saving 60 hours of labor weekly. Patel clarified that “as of right now, we only have one engineer responsible for managing WAF rules and evaluating quality assurance (QA).” By saving 75% of the hours they used to spend on inefficient security measures, Patel is able to better allocate his team’s time.
Patel was also impressed by the ease of visibility into his API infrastructure. Prior to Traceable, he estimates that he had 20% visibility, at best, and with Traceable he estimates his visibility at over 90% and increasing as the Traceable deployment expands. Patel said, “The visibility that Traceable provides was previously difficult to create. We now have that visibility all through our Traceable dashboard.”
Minimizing multi cloud security risk with API data
Informatica prioritizes risk management, and finds in Traceable “a system readily available to protect us from any bad actors and risks that arise.” Perceiving ROI even during their proof-of-concept (POC), Informatica had Traceable deployed in their QA environment, but not in their production environment. When Log4j came out, the team at Informatica began their usual processes, following traditional protection methods. Patel said, “During that time, the Traceable team reached out to us and showed us all the Log4j-related events that they saw in our QA environment.”
According to Patel, it made an immediate impression of value. “It shows exactly where the labor cost comes in. On our side, our engineers were determining various queries to write for Log4j detection across the full gamut of our production and deployment. Traceable replaced that need and gave us a dashboard, eliminating labor costs associated with building data and queries,” he said. “In the future, when similar things happen, we won’t have to spend 24-plus-hours digging into our data. We will rely on our Traceable dashboard.”
Above and beyond – a frictionless experience
In addition to solving their multi-cloud API security concerns, Traceable’s ability to overcome obstacles was a major selling point for Informatica. According to Patel, “all of our vendors had to support us for Enterprise Risk Management (ERM). Some of the vendors we considered told us it would take roughly six months to support this.”
“Traceable estimated one month, and actually delivered the fix within three weeks,” he said. Such flexibly-provided solutions offer the Cloud Security team a sense of “transparency with the Traceable team [that] we are very impressed and happy with. Traceable provides a capable team which quickly understands our problems and gives answers; this transparency builds trust.”
Moreover, according to Pathik, “Deployment was easy. That was positive for our security engineers, because typically security engineers suffer many cycles in determining how to deploy new software. Traceable keeps the development team happy.”
With Traceable, Informatica found a comprehensive solution without sacrificing any of their must-have features. With a solution deployable across all of their clouds and environments, Informatica now catalogs and protects their entire API use infrastructure with unprecedented confidence and speed. Using API Catalog, they are able to secure the flow of data across their cloud and legacy environments.
Patel anticipates an even better reduction in time-constraints in the future, “If a new threat comes out, Traceable identifies it and provides a detailed dashboard that tells us all the events, bad actors, and IP addresses associated.” Rather than spending valuable time trying to figure out what and where to add protections, the Traceable dashboard offers a resource that Patel believes enables them to “start protecting with just one click. Traceable has the data, we convert that into rules and start blocking right-away.”