We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Cloudflare today unveiled a new tool in its suite of security offerings, the Cloudflare API Gateway, which seeks to simplify the protection of increasingly prevalent application programming interfaces (APIs).
The solution also aims to feature a significantly lower price point than many of the other API security products now on the market, which could go a long way toward “democratizing” API security for the market, Cloudflare CTO John Graham-Cumming told VentureBeat.
In the era of ubiquitous use of web and mobile applications, “so much of what we’re doing is API-driven,” Graham-Cumming said in an interview. “And those APIs need protecting, and they need analytics around them. And the solutions that are out there are extremely expensive.”
While Cloudflare has essentially “always” offered API security — more than 50% of requests that go through Cloudflare’s system are for APIs — the API Gateway solution packages together a number of previously existing capabilities to simplify things for users, he said.
Key use cases for the Cloudflare API Gateway include detection and prevention of API abuse, utilizing the company’s machine learning (ML) engine to automatically analyze API traffic to identify and block abuse issues.
Other capabilities include automatic detection of unmanaged APIs; creation and management of APIs directly via the Cloudflare Workers serverless application platform; offloading of authentication and authorization (with support for OAuth 2.0 and other protocols); and routing/logging/measurement of API requests.
In short, “we brought together many of the things that Cloudflare does in terms of security, in terms of routing of requests, and we put it together into an API Gateway,” Graham-Cumming said.
As APIs have grown, they’ve quickly turned into a popular target for attackers. Several API security vendors reported a surge in API-based attacks last year. And Gartner has forecast that as of this year, the vast majority of web-enabled apps — 90% — will have more surface area exposed for an attack in the form of APIs than via the human user interface.
Apart from Cloudflare, major providers of API security solutions include Cloudflare rival Akamai, as well as F5, Noname Security and Cequence Security. Other API security vendors include Wallarm, StackHawk, Apigee (Google Cloud), Salt Security, Check Point, Data Theorem, 42Crunch, Imperva, Neosec, Ping Identity and Traceable, according to G2.
The Cloudflare API Gateway aims to differentiate from other offerings on the market because it’s “fully integrated with the Cloudfare platform,” Graham-Cumming said. “And so, as well as protecting the API, you’ve also got the DDoS protection, which we give away as unlimited and unmetered within our product. You’ve also got the SSL/TLS and the DNS management. And I think once you put it all in one place, it just reduces the complexity enormously.”
Importantly, “all anybody really cares about with their API is what the API actually does — because they’re building a product with that API,” he said. “So this lets you offload all the security worries onto us.”
The Cloudflare API Gateway also stands out by being “fairly priced,” in comparison to other, more-expensive API security solutions being offered currently, Graham-Cumming said.
Once customers see what Cloudflare is offering in API security, “we would expect people to move away from the high-price solutions that are out there,” he said.
API security is one of several areas in the cyber market where Cloudflare is currently expanding its efforts in a major way.
Other areas include email security — which Cloudflare is bolstering with its planned acquisition of Area 1 Security, announced in February. Meanwhile, the company’s push into security for software-as-a-service (SaaS) applications has been driven in part through the acquisition in February of Vectrix.
The startup brought technology that serves as a “modern” equivalent of a cloud access security broker (CASB) solution, with dramatically simplified deployment compared to most existing tools, Cloudflare cofounder and CEO Matthew Prince said in an interview with VentureBeat last month.
Ultimately, Cloudflare is seeking to become a top player in the realm of secure access service edge (SASE). Cloudflare’s SASE offering, the Cloudflare One platform, represents the direction that the company — known for its global network that enables strong security and performance for web properties — is most focused on now, Prince has said.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.