A Policy Framework for Securing Cloud APIs by Combining Application Context with Generative AI

Abstract

As APIs become the de facto standard for applications to interact with one another, organizations need a robust policy framework to protect them from known vulnerabilities and new threats. Complex policies intended to protect APIs often need a deep understanding of application nuances and semantics. Further, as APIs evolve, policies must be constantly updated, adding significant burden to organizational security administrators. In this talk we will present our study of a novel security framework (Paladin) that simplifies the process of defining and enforcing cross-application policies for cloud security administrators. Paladin provides a unique abstraction layer that enables high level policy definitions, independent of application semantics. By automatically identifying APIs with the same business meaning across applications using large language models (LLMs), Paladin makes policy definition and enforcement easier for security administrators. Our study shows these policies are capable of preventing unrestricted resource consumption, unrestricted access to sensitive business flows, broken authentication and more. Our study analyzed 25 most popular APIs in 2023 (Tiktok, Google, etc.), APIs from e-commerce and financial applications to identify common business scenarios like logins, user registrations, purchasing products, etc. We show the effectiveness of this framework to easily define policies against known CVEs that are effective for multiple applications.