How to Prevent Sensitive Data From Leaking in API Gateway

Wei Liu

March 3, 2023

Technology

Why Do We Need to Protect Sensitive Data

Sensitive data, also known as confidential data, mainly refers to data that may cause huge complications to businesses, governments, and individuals when leaked, including but not limited to business operation data, personal identity information, etc.

For enterprises, sensitive data is directly linked to the information security of enterprises. For example, leaking sensitive information such as keys and certificates can have a devastating effect on an organization’s reputation, financial loss, and may even result in legal liability.

For individuals, sensitive data leaks can reveal everything from social security numbers to banking information, theft of your identity can harass you with advertisements, ruin your credit, pin you with legal issues, and engage in all types of fraud under your name.

What Kind of Sensitive Data Is in the API Gateway

As the entrance of business traffic, the API gateway often contains a large amount of sensitive data, such as API keys, tokens used for authentication, etc. Therefore, improving security and preventing sensitive data from leaking is also a critical aspect of the API gateway in addition to the basic load balancing and traffic routing features.

Sensitive Data

How Does API Gateway Protects Sensitive Data

The general idea is as follows:

  1. Put sensitive data in a protected area and strictly control access rights

  2. Improve the risk control system to manage the risk of abnormal behavior and business compliance

  3. Desensitize or encrypt sensitive data

Next, we will take Apache APISIX as an example to show how to protect sensitive data in API Gateway.

Apache APISIX's Practice in Protecting Private Data

Apache APISIX is an open-source project of the Apache Software Foundation and is currently the most active open-source gateway project. As a fully dynamic, real-time, high-performance open-source API gateway, Apache APISIX provides rich traffic management features like load balancing, dynamic upstream, canary release, circuit breaking, authentication, observability, etc.

In addition, users can customize the functions of Apache APISIX by writing their own plugins. Thanks to the active community and increasing developers, the number of Apache APISIX plugins grows every day, some of which carry sensitive information, such as jwt-auth plugin configurations secret and private_key. We need to use encrypted storage to prevent these data from being obtained illegally.

In order to enhance the security of APISIX and better protect users' privacy, APISIX introduced the Global Data Encryption function in version 3.1.0. When developers develop new plugins with this function, the developers only need to specify the data to be encrypted in the schema, then APISIX will automatically encrypt and store it when writing to the control plane, and automatically decrypt it when the data plane reads it.

Global Data Encryption

Let's take a look at a concrete example.

When Data Encryption Is Not Enabled

  1. Send configuration
curl http://127.0.0.1:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
     "username": "foo",
     "plugins": {
         "basic-auth": {
             "username": "foo",
             "password": "bar"
         }
     }
}'
  1. The state of sensitive data in etcd
etcdctl get /apisix/consumers/foo
{"username":"foo","update_time":1675414313,"create_time":1674009211,"plugins":{"basic-auth":{"username":"foo","password":"bar"}} }

We can see that the password field is stored in plain text, and it can be compromised easily

When Data Encryption Is Enabled

  1. Enable data_encryption in config.yaml:
apisix:
     data_encryption:
     enable: true
     keyring:
         -edd1c9f0985e76a2
  1. Enable plugins that support data encryption, here we user basic-auth as an example
curl http://127.0.0.1:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
     "username": "foo",
     "plugins": {
         "basic-auth": {
             "username": "foo",
             "password": "bar"
         }
     }
}'
  1. Testing the plugin
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
     "methods": ["GET"],
     "uri": "/get",
     "plugins": {
         "basic-auth": {}
     },
     "upstream": {
         "type": "roundrobin",
         "nodes": {
             "httpbin.org": 1
         }
     }
}'

Access success

curl -i -ufoo:bar http://127.0.0.1:9080/get
HTTP/1.1 200 OK
...

Access failed, password error

curl -i -ufoo:test http://127.0.0.1:9080/get
HTTP/1.1 401 Unauthorized
...
{"message":"Invalid user authorization"}

The plugin is functioning properly

  1. The state of sensitive data in etcd
etcdctl get /apisix/consumers/foo
{"create_time":1674009211,"update_time":1674009211,"plugins":{"basic-auth":{"password":"+kOEVUuRc5rC5ZwvvAMLwg=","username":"foo"}},"username": "foo"}

We can see that the password field has been successfully encrypted, even if the data is leaked, hackers can't use it.

Summary

The API gateway contains a lot of sensitive data, so it is necessary to take effective measures to protect the data. This article uses APISIX as an example to introduce how to protect sensitive data with the Global Data Encryption function to ensure that it will not allow any sensitive data stored in plain text, so that even if all the data stored in etcd is compromised, it will not cause sensitive data leakage, thus effectively improving the security of APISIX.

At the same time, in addition to encrypting sensitive data, APISIX also supports putting sensitive information directly into third-party services, namely Secret Manager, which further improves security.

I hope that this article helps you to learn more about how to protect sensitive data in the API gateway and ensure information security in businesses.

Tags:
APISIX BasicsData SecurityAPI Gateway Concept