Everybody. Hello. Welcome to another segment during security week 2022 here at Cloudflare. My name is Dan Gould on the product marketing team. I'm joined by one of my favorite people at Cloudflare, Ben Solomon. And Ben, what's going on? Hey, it's good to see you. You're one of my favorite people as well, so I'm so excited to be here. I was I was doing a segment earlier today on Cloudflare TV, and I feel like I'm pulling double duty now. So I'm warmed up, I'm ready to go. And we're talking about APIs today, so I'm excited. We are. Indeed we are. Well, before we dive into APIs, let's talk about security week. It's really exciting. Tons of innovation. Has there been a piece of news or innovation that stood out so far? A favorite, maybe. So I'm going to give you a boring answer, but it means a lot to me. So there's all these exciting, sophisticated, technical things that we've released this week, whether it's an email security or anything else. Right. And the announcement that actually means the most to me is the reorganization we've done within our security tab. So the security tab used to be called firewall. There are all these things that were sort of stacked underneath it. There were firewall rules that were managed rules. There are custom rules, all these different things. Right. And as someone who I'm a product manager in security, as someone who works there, it drove me insane that I had to click through all of these tabs all the time. And now we've kind of rebranded it and republished it in a way that makes sense conceptually for using the product. So I've already found that even as I'm clicking through the dashboard, I'm just so much happier that the things that I work on live in a unified space. So I'm thrilled we're doing all the other technical stuff, but that's a quick win that's made my life easier. How about you? So I'll share three quick ones, actually, since there's these weeks that are an embarrassment of riches, as we all know now, recently we announced our intent to acquire a company called Area One in sort of the advanced email threat space phishing, if you will. And on Monday, we began to discuss our plans to incorporate Area One's protections, particularly against advanced phishing for all of our customers. And that's critical because we know email is a really important attack vector that attackers look to exploit. Right. To get a foothold in organizations then pivot from there. So the fact that we're going to extend better I think more advanced email protections for all of our customers is really powerful to really complement what they're already getting from their cloud email providers. My cloud email providers are pretty good at spam and viruses, but the advanced phishing, they still there's a gap there. They struggle. And the fact that we're helping our customers fill that gap, given how critical that is to security, is really cool. So there are a couple of other ones though. Machine learning detections in our WAAF friendly bots making it dead simple to allow less any bot right for your organization. There's a lot of cool stuff, but I think the email security really stands out given how critical that is to enterprise security postures. Right. But it turns out today then there's big news, an API gateway. And so in a nutshell, I guess that is basically what we're going to do to build API shield, correct. Which is what we're doing to secure APIs into something more. Is that right? Yeah. Yeah, that's right. And first of all, I won't be offended that friendly bots wasn't your favorite announcement of the week. It's fine. That's won't keep me up at night. I do love friendly bots. You're right. We have announced today that Cloudflare is going to be launching an API gateway. Right. And so if you're familiar with our other products, you've seen we've had API shield for some time, which is a set of security products. But before we get into all that is it may be useful if we talk about what APIs are to begin with. That makes sense. That makes sense. And how do you think APIs, what are they say? Apis. So it's interesting because APIs can get very technical very quickly. Right. And so there's a lot of folks out there who hear the term API. They go, Oh yeah, I totally know what it is. And they kind of move on. And I was that way for a long time, right? You're going through college or studying computer science or something? Sure. I know what APIs are. I'll give you some real world examples that will hopefully help explain this. The first one is an example of non API traffic. Right? So when I go online, I might make any number of regular human requests. Maybe I want to read an article online. And so I might type in cnn.com. I hit enter and then that request is sent off into the Internet. And so this is a human prompted request that exists at sort of a low scale on the Internet. And it's normal. It's not API. A web request. Right, a Web request. Now, there's another type of request that we're seeing more and more often, which is API, right? When I go for a run, for example, I'm using Strava on my phone and so I'm running, I'm running and Strava is constantly updating my location in the cloud, right? It's sending that location up to a server somewhere and doing it, who knows, maybe multiple times a second. Now when I'm running, I am not constantly going. Update, update, update. I send my location over and over again. No, these are requests that are prompted by the software on my phone. So my phone is constantly actually making those requests on its own volition. Those kinds of requests are API requests and again, we're seeing them all over the place. So when you go to pay for something. At a coffee shop. Often there are API requests in the background that are contacting the credit card maker and the actual company that you're buying something from. There are all of these different API requests which are woven into the things around us. Yeah. And for sure. I feel like I hear you say that to a large extent. Api is drive modern business, right? I mean, you think about mobile apps, right? And everything they're doing, they're largely driven by APIs, IoT. I mean, the growth in IoT is incredible. So to a large extent, modern business is driven by it, by APIs more and more. And what's know I'll add to that and something that's come up internally as we talk about APIs is almost the different flavors of varieties that we see of API. So not all created equal or with the same intents. Some are designed to let internal systems exchange information, exchange data maybe stay behind the firewall. Right. There are other sort of business API or partner APIs and these are maybe what, similar to what you were just talking about. Right. Say, if we're building a ride sharing app, for instance, we want to we want to roll in mapping capabilities or payment processing, the ride sharing app companies not necessarily going to build their own mapping software. Right, or build their own payment processing. They're going to borrow that and really slot that in via APIs, that functionality. And so those are sort of partner APIs, right, where the mapping company will make it available to ridesharing apps or anybody else as a business partner, say. And then also there's sort of last category we think of as more public API isn't really meant for anybody who would like to consume that data is able to do so. And I think an easy example is like a weather service. It's basically meant for anybody on the Internet who wants to consume that weather service. They merely register, become sort of an official developer to get their API keys, etc. and then they can, they can consume that data. So. There are private business and public APIs that I think when we think about them all together, we realize just how important APIs are in the world in driving modern business. Right, right. And they're only becoming more popular. Right. By the way, if you and I ever go into business in a ride sharing app, we're going to have the best APIs in the game. It's going to be amazing. Note to Self. I need to figure out how to send you a watch for your runs. So I've heard those are good. And by the way, we have companies that make running watches that have APIs built in that are using things like API, Gateway and Bot management to protect it. So it's it's a fascinating area. We should talk a little bit about trends. Yeah. The big one that stands out to me is that over half of the traffic on our network now is API traffic, which is crazy because it wasn't this way five, six years ago. Right? It wasn't even close. And so we are just seeing this number creep up over time and really no signs of slowing down. And you know, when we say APIs, we're driving business really exaggerated like and Ben, I think I saw that same that you did I think this is from the first week of December we took a measure and was it 54% of total requests were headed to an API endpoint. Yeah. Yeah, that's. Right. That's that's real traffic. More than half. And we, we do see a fair amount of traffic in the world. So this is this is real. This is, you know, these are APIs they're driving business and they really deserve. And we'll talk about this dedicated security and more dedicated management. And there's another stat we looked at that, in fact, they're growing much, much faster than web traffic, which probably won't surprise anybody. And I think if memory serves, we see industries like cryptocurrency growing really quickly, like gaming and even banking and retail. Other sectors that more and more are relying on mobile traffic, mobile applications, pushing more API traffic or pushing more API endpoints in production. Sure. Yeah. And it's the other thing that's that's fascinating to me is, look, I spent the last two years working on our bots team helping to build out bot management so that we can detect bad bots on the web. In a lot of ways, APIs are the answer to that. They're automated services that are often used for good purposes, right? They're not necessarily good in the sense that they're powering search crawlers and good bots on the web, but they are well intentioned services that are leveraging the scale of automation. So there's a lot of cool stuff here and I'm glad folks are finally leaning into the good side of this because we don't love the bad bots quite as much. Yeah, indeed. Indeed. So that said, we think about today's news. Maybe we can sort of start thinking a little bit about this notion of an API gateway, you know, for starters, how do you in your mind, how do you think of an API gateway? So this is a term that's used. Gateway is used very broadly across the industry, right? You've seen folks who have built out API gateways that are focused on authentication or focused on creation of APIs to offset Cloudflare. A gateway is a one stop shop for everything that your API needs, right? This is a place where you can come to implement security roles for your APIs. It's a place where you can help manage your different APIs, discover them, do authentication, quota management, all of that stuff right in one place. And so that's the vision behind API Gateway. It's just that there's all these different things you may have been outsourcing before to different individual features, and we want to do it in one spot. Does that make sense? It does make sense. And I think we have heard this from organizations who rely on us as a reverse proxy. Right. And so we accept traffic on their behalf. And that being the case, we can really look after their APIs, you know, from security to monitoring to management. Everything you just said, given the fact we're already, you know, this reverse proxy, they really rely on and trust. And so I think this API gateway vision makes sense right now when we think about distinguishing our API gateway from maybe other sort of offerings on the market, what do you think would make ours or what does make ours a little bit different? So the first one I always talk about is the fact that it's faster, right? And we have an inherent advantage in that. If you're already using Cloudflare as a reverse proxy, your traffic is already coming to us. Right. And so if today's hop looks like request goes to Cloudflare, goes to your API gateway goes to somewhere else, we can just eliminate the API gateway. It doesn't need to happen if you can do everything at Cloudflare's Edge. And so building that gateway in house, allowing you to do everything within Cloudflare is a major, major speed improvement. Forget about the fact that we can run a lot of the detections faster. It's actually reducing that distance that makes us so much better. And I mean, look. I think Proxy is right. They might have sort of an API gateway and then Cloudflare. It's just right together. It's a pain. It's consolidation, and you're in product marketing. You probably see this with other products as well. I know we talked about it with bot management, but eliminating those extra hops is often a big speedbump. Indeed, indeed, indeed. And that's something that obviously when we think about any API, gateway speed will be critical to us. It is for all of our products and API. So probably even more critical now, do you think, given the fact that we can consolidate, we can do more from our platform? I think making this cost effective so organizations aren't gouged by an API gateway company, I think that's something we'd also bear in mind. What do you think? Yeah, I think that was a good transition. By the way, this is an important thing for us to hit on. The cost is everything here, right? If you're spending tons of money for some other service that's not built into Cloudflare, it's maybe not the best use of your money. Right, because we could be doing things for much cheaper within house. And so one of the things we're trying to do here is just offer the same set of features. Actually, they're a little bit better, but offer those same set of features for less money than you're currently paying. And we've done this with other things. You've seen the R2 announcement that the Cloudflare has made. This is just the same thing applied to API security and an API gateway. Yeah, totally. Totally, totally. So you mentioned features and I think we will have obviously all the necessary API gateway features that my organization would expect. In fact, we'll do things a little differently. Probably have a few new ones, new, interesting ones. When we think about the different sort of areas that an API gateway should include, I can think of a few and maybe, you know, security is probably a key one to start with. And that's something that that we've thought a lot about for the better part of a decade. That's right. Security is everything to us. And so we've laid out a couple of different sets of features. I think you kind of categorize them well, which is like there's a security set of features within the gateway there. There's a management and monitoring set of features within the gateway. And then there's kind of everything else which are like the SSL, TLS that we've been doing for years and all that stuff, right? So those are the three big categories we break them down into. Probably make sense if we're going to discuss them. To start with security, just because that's kind of our focus. Let's do it. Okay. So I can start by breaking them down. Is it helpful? Maybe I'll walk you through feature by feature. Yeah, let's let's talk about that. And again, this is our API shield which is available today protecting API endpoints in production. And so we would encourage organizations if you are more and more API centric, talk to us about API shield, then know that many of these management functions will be added to API Shield over time as we build out the full gateway. So let's, let's start with the first feature, which is Discovery. Discovery again, is something that is available today. It's part of API Shield API Gateway and the use case it really serves is you may not know what your API endpoints are. We've had plenty of customers who come to us and they say either I don't know what my API endpoints are or Oh, I'm totally sure it's these 30 endpoints. And then we run this discovery tool, which is designed to go out and look for all of your endpoints and then list them out and it comes back and says, Oh, you actually have 100 endpoints or you have 200 endpoints. And it's often you never see someone who says, I have 30, and then it comes back and it says, you're only a 15. And so the idea behind Discovery is to help you understand the attack surface area, because you can't protect it until you know that it exists. If you can't if you can't see it, can't protect it. And there have been some just in the real world, some nightmare use cases here about this shadow API problem. I mean, there's there was one situation where an organization had some breaking changes to the APIs. They rolled out a new version, but they left the old version in production, forgot about it. Right. So they were just sort of running Shadow API, sitting out there in production and it turns out they actually didn't have authentication on these endpoints. So that double whammy, really bad news. So this, this, this shadow API is a critical challenge. And I think I hate to say this, but everything old is new again, right? Where maybe some development teams might push some things live and then security finds out after the fact where you've got these tier point, right? Yeah, we're certain we've got these 75 API endpoints in production. You run the search and it turns out it's 115, right. You run Discovery. So this is where we have to start the of an API security making sure we identify the attack servers. And it happens to the best of us, right? Like we're kind of joking about it here like, Oh, we didn't know some number of endpoints existed. It is entropy. This is the way the world works that you create something and naturally other things will start showing up in all sorts of different places. Whether you've got teams in your company that are building different APIs you weren't aware of or you versioned out other things, it will always show up. And so there's I want to be really clear that it's not your fault that there are other there are other endpoints out there. We're just trying to recognize that need and help you find them all and put them in one place. Exactly. And look, dev teams are working fast to build the company to move things forward. So it's a generally it's a good thing. We just want to make sure that security keeps pace with business. Yeah. So what else? Okay, so we think about discovery. We're aware of the API endpoints in production. So the visibility is there. How do we think about security at that point? So there's another side to discovery actually, which is, sure, you can you can let Cloudflare build a basically a schema of your different endpoints. You can also show up to us and say, I already have a schema, which is a list of endpoints. It's basically a template for how your traffic should look and say, look, I've got this schema. I want Cloudflare to validate my incoming traffic against it. And so why is that useful, right? If you know that your five endpoints are available to the world and you expect traffic for endpoint number two to look exactly like something, we can check all of those rules and basically put up a filter in front of your traffic. Right. And it turns out you'd think it's a very simple way of checking traffic. And to a certain extent it is, but it's actually very, very effective. There are a lot of attackers who either don't spend the time trying to modify their request to fit a certain schema or they don't even know what the schema is. Right. And so even if you found an endpoint, you can try to imitate traffic as it comes in. There may be something buried within a header that you're just not familiar with. And so it's a dead giveaway as soon as your traffic shows up that we should just throw it out and be done with it. So this is the second feature of the gateway. It's schema validation. So the opportunity for you to show up in our dashboard, give us your YAML file, however you're defining your open API schema and then we'll just validate traffic and take whatever action you want us to take, whether that's blocking or logging or anything else. So I've heard this referred to as positive security for your API. So it's almost like I almost think of it as zero trust for APIs. Everything is blocked except for what conforms to your schema. Right. So this positive security model is can be very, very useful and blocking basically all of the garbage, all of this attack traffic that doesn't conform to exactly how you want the world to interact with these API endpoints or the developer. It's much more secure. I mean, look, I love it because it's positive and not negative. That's great. But also there's a there's an added value here of the fact that you get to define what your traffic should look like as opposed to trying to define the other case. Right. Which is potentially infinite. Right. It's all of the other things that your traffic would not look like. Exactly. And again, just to underscore what you said, so this is, you know, many organizations have a schema open API V3 I think, and we merely take that, upload it to API Shield right, our API gateway today and then we basically just start enforcing we basically create rules in the background and start enforcing on that schema, correct? That's right. That's right. And we probably take this moment too, because you and I are both saying API Shield, an API Gateway. For those of you who aren't familiar out there who are kind of watching, we've for a little while had different API products in early access and so we've collectively referred to them as API Shield because they're sort of the security products that function as one unit. Right. And to this day, that's still true. If you go to the dashboard, you'll see API Shield. We've made some changes in honor of security week to bring everything together. The announcement today about API Gateway is about expanding this over time into a gateway. And so what we're building and have many of those things ready already, but when you hear us say API Shield, we're talking about the existing security features. A few months down the line, we'll be talking about the gateway as a whole. So yeah, exactly. And you'll see us transition from the API shield focused on security to really more of a full secure API gateway that does even more. And we'll get to that in a second. But let's round out security first. You know, it's no secret that attackers can look to overwhelm or abuse API endpoints. And abuse detection is something we've done a lot about. And I think, you know, the way we think about it is maybe a little distinct. You want to talk about that? Yeah, this one is close to my heart because this is really the first product I got to jump on. In terms of the API security space. What we've noticed is even though discovery and schema validation are effective in sort of setting up the attack surface area and then vetting traffic as it comes in, there is room for more security here. And so what we can do is we can study your traffic as it comes in, figure out how many requests really your average user is making to each one of your endpoints because they may make more requests to endpoint one than to endpoint two. And then we can use machine learning that the same ML that powers our management product to actually project rate limiting thresholds for you. And so the reason this is so key is in the past you had to guess those rate limiting thresholds on your own, right? You had to sit there and go, well, I guess the average person shouldn't make more than three requests. Right. And it's hard. It's really hard when you're talking about partner APIs, which are maybe making thousands of requests on average every 10 minutes. And so this new tool in line with Discovery will actually suggest your different rate limits, give you contextual information and allow you to do all that. And that's awesome. And what's more is we keep this up to date, right? It's a rolling average, right? It's not something we establish one time in the beginning and then there are a lot of changes. The rate limit. Yes. That's right. It's such a good point you're making, which is your traffic profile is going to change over time. Right. And so Cloudflare is constantly monitoring, updating all of these different thresholds. We're projecting there's another facet to this announcement. As well, which is today in a totally separate blog post we've announced advanced rate limiting and what that allows you to do is rate limit based off of things like cookies and headers. And that's what abuse detection relies on, is the ability for us to not just count a number of IPs that are showing up, but to count a number of headers. Right. And to look specifically at the content of things so that we can do a more intelligent version of rate limiting. And so this is all tied together. Everything we've launched is really closely woven together so that we can provide better security with abuse detection. Indeed. And just a quick example here, because I think is really cool and this is from your blog that you've written about. This is we think about two API endpoints, right? And you know, during say it's mid-March. So we'll talk about the Final Four. The score update endpoint is going to be just overwhelm the traffic because everybody wants to I mean, it's thousands and thousands of requests a minute where the password reset endpoint, we know that that traffic will be very, very low and, you know, as you would expect. So we need to think about traffic for each of those and measure them very differently and then establish separate thresholds for each of those endpoints based on the current traffic that we're seeing. Yep. Totally. Totally. Should we should we talk about the last piece of the shield? Talk about. Yeah, some, some TLS. What do you think? Okay. I'm down. So this is the last, last portion here. I can kind of preface it and then add, add any color you want to add in. The basic idea behind TLS is if you are a company that has a lot of devices that are making requests, API requests, again, I've got a phone, maybe a bunch of my phones, have mobile apps that are requesting my service. You need some way to make sure that when those requests show up, they are legitimately coming from your mobile app and they're not coming from someone who is pretending to be your mobile app. And so with MTLS, our SSL team has helped us build out this new feature where they will issue client certificates for you. Cloudflare acts as a Manage Certificate Authority. We'll help you put those certificates into your app or your software or whatever it is. And then as your different devices make request, they include that client certificate so that when it shows up to Cloudflare, they say, hey, here's here's the thing I'm trying to do. And by the way, here's my certificate. Like, I'm good to go and you can let me through. And it turns out it's just a wonderful tool. We've talked to fitness companies, for example, that make treadmills and bikes and all this kind of stuff, and they are embedding different client certificates into their bikes so that folks can't impersonate them. Right. So that's that's the kind of thing that's really, really helpful. It just as an additional layer of again, positive security isn't negative security. It's positive. That's right. So we can ensure with the certificate that only legitimate devices are allowed to make requests. And then from those legitimate devices with schema validation, we can ensure that those devices only make legitimate requests. So it's sort of two layers of positive security working together, really powerful stuff. So in our remaining time, why don't we talk about what we'll see in the coming months as we build out our API gateway and we think about some of the management and monitoring stuff you were speaking about before. And for starters, we're on the on the theme of authentication. How are we going to continue to add to the authentication piece here? So there's a lot that needs to happen in the authentication space. When we talk about APIs, as you said, security is not enough, right? There are tons of other needs that folks have and that starts with being able to actually identify the folks who are using the APIs. So not just counting the number of folks, but actually saying, I know this particular person, this is their account. Right? They're trying to access some specific information. And so if you look across our set of products, we kind of already do authentication with Cloudflare access. And so we've been working really closely with the with the access team to roll out a feature that will do authentication natively within API Gateway. Right. So we haven't released too many details about this yet. It's one of the things that we're still testing and we want to make sure we get right. But this will be a core part of the gateway. Awesome, awesome stuff. And you know, we were talking before about how APIs drive business. So that means I think more and more organizations will need to just continue building APIs. Now, this is something I know we've thought about with our serverless, our Workers platform. I imagine we're going to make that really easy to do for building the API endpoints. So it's going to be it's going to be crazy easier. I don't want to create a million different APIs everywhere. The wonderful thing about Workers is if you really wanted to today, you can go and set up your own API, right? Workers can act as a microservice on our edge that's serving some purpose, whether it's responding with data. Maybe you've tied it in with our Durable Objects platform to sort of persistently store things at the edge as well. Workers fit the profile of like an API service. And so all that's missing there is us to jump in and refit Workers within the native API gateway context. So giving you a one click option so that you can immediately create a worker, spin up your API at our edge, use us to do authentication. Right, we'll discover all the endpoints will apply our security products there. There's a wonderful space for us to plug in Workers and help complete that process. That's so awesome, so easily build API endpoints and then effectively automatically onboarding. To Cloudflare and protect it. All that stuff in one place. Exactly. Cool, cool, cool. Now, something else we hear a lot about is routing and transaction transformation of API requests. And this is actually a capability we've long had with transform rules, and I believe this will become also available for APIs. Totally. You nailed it. Which is customers often want to be able to pull requests in different directions. Something shows up and maybe you have. Actually, there's a great diagram that our design team put together in the blog post today. And the example I'm giving is, is a hotel, right? Maybe a hotel is a singular website or an API and they want one single point of entry for that API so that all requests at the same point. But once you get there, the information you might want from that hotel website can be different. You might want the price of a room. You might want the type of a room or anything else, right? And so having the ability to have requests show up and then a mechanism at Cloudflare's Edge that routes different types of requests to different places is everything. And so as you mentioned, we already do this with transform roles. We're already able to do this. And so you can set it up today in the dashboard. It would work just fine. This is another one of those things. We are refitting it and plugging it into the gateway so that you can do it all in line in the same flow. That's awesome, because occasionally what we see at the edge of the back end might need something different. So we can add headers, we can rewrite URLs, we can do really interesting things so you don't have to basically update your back end. We can just take care of that, rewrite things, transform, transform requests, and away you go. Now, of course, analytics and moderating is also critical. It's critical for application for security and also APIs. We're going to also just continue to make that more robust in our gateway, I'm guessing. Yeah. And I've been looking really closely at a lot of the work on this. We care very deeply about not just building another analytics product like this can't just be a thing that tells you how many requests you have. And that's fine. We have to build something that is specifically catered to our API use case. And so we've spent a lot of time thinking about useful different mechanisms you can have in the dashboard again, just like we've done with bot analytics where you can sort of pull a different bot score threshold. We want to do a similar thing here with anomalies that we've surfaced in API security. So that's absolutely a core part of this and it's something that's really important to the gateway. Absolutely. Well, robust logging, of course, to really understand what's happening with your APIs. Now, we've got about a minute left. There's that everything else category that we're also going to build in. So things like quota management, right, just sort of compliment rate limiting so that you can sort of establish an amount of requests you want to develop it to have and measure against that. Right. So their quota and manage that caching. Right. That's what we've done with CDN for a long time. We'll do the same for API requests to make it really fast from our edge in load balancing all sorts of things. So really, really powerful features going into our API gateway in the coming quarter. So to end this up to end things, where should interested organizations go to get started. So you can reach out to your account team. That's the first thing you really should do. They can put you in touch with the right folks at Cloudflare who can get API Gateway or rather the Shield today activated site. You can start testing out those different security features and really get them working. There's a lot of fun things to play around with, so we're we're really excited to hear how this goes for you. But also let us know as there are new features you want to try and new things you want to test out. But that's all I got. Ben, thanks for joining Happy Security Week 2022. Happy Security Week. Good to see you.