In the first step, Tanzu Service Mesh Enterprise discovers the components of the application, including APIs (REST/JSON), PII data, and application users (based on their user IDs). It then learns the application's behavior and creates a baseline of "normal behavior" in terms of what services are present in the application, what APIs and data are exchanged, and which users access them. When this learning (or baseline) is complete, it can detect deviations from that "normal behavior" and report them to the administrator. It allows admins to block or allow traffic and create policies automatically. Additionally, administrators can create granular policies that provide API and data segmentation, OWASP 10 attack defense, schema validation, geofencing, data compliance, and egress controls.
For more information on how to create API Security policies,see API Security Policies: UI Configuration and API Security Policies: API Configuration.
API Segmentation
API segmentation always runs in the enforcing mode. In enforcing mode of API Segmentation, the system continues to monitor the discovered API interactions. In addition, the system reports an API violation when a new API is detected.
The Security Analytics page in API Management> API Overview provides a detailed summary of the API security events that occurred in a particular endpoint. Each security event is indicated based on the severity (critical, warning, info).
PII Segmentation
In the detection mode of PII segmentation, Tanzu Service Mesh learns the APIs with PII between the microservices deployed in the application environment. In the enforcing mode of PII segmentation, Tanzu Service Mesh Enterprise continues to monitor the PII transfers. In addition, the system reports a PII Violation when a new PII is detected.
The API Management > API Overview page provides a detailed summary of PII violations that occurred in the system. This includes geolocations with PIIs, and top PIIs detected in each endpoint.
API & TCP Segmentation |
PII |
Violation Scenarios in Enforcing Mode |
---|---|---|
Enabled |
Disabled |
a) Any unknown API detected is considered to be a violated API called API Violation b) Any unknown PII detected doesn’t report PII Violation c) Any unknown PII detected in already discovered API doesn’t report both PII and API Violation d) Any unknown PII detected in a new API doesn’t report PII Violation but API Violation. |
Disabled |
Enabled |
a) Any unknown API detected doesn’t report API Violation b) Any unknown PII detected is considered to be a violated PII called PII Violation c) Any unknown PII detected in already discovered API is considered to be a violated PII called PII Violation, while the API is legitimate. d) Any unknown PII detected in a new API doesn’t report API Violation but PII Violation. |
Enabled |
Enabled |
a) Any unknown API detected is considered to be a violated API called API Violation b) Any unknown PII detected is considered to be a violated PII called PII Violation c) Any unknown PII detected in already discovered API is considered to be a violated PII called PII Violation, while the API is legitimate d) Any unknown PII detected in a new API is identified as both PII and API Violation. |