Microservices Needs API Security, but API Security Should Not Depend on Microservices

APIs are the interconnect protocol in microservices architectures, and for this reason, API Security is an essential component of microservices security, besides, of course, the service platform security and container security itself.

However, microservices architectures present opportunities and challenges for API Security implementation:

  1. API calls between services usually go through proxies and/or other virtual components that are under the control of DevOps. Therefore, API security functions can be attached to these components without modification of infrastructure components.
  2. Microservices tend to be a group of highly distributed and ephemeral services. This means that the conventional hair-pinning and traffic redirection through a security gateway will not work for a vast majority of deployments.

As a result, most API security services for microservices are delivered as add-ons and plug-ins to existing microservices infrastructure components. Now, while this can be effective if the entire Service Mesh has been converted to microservices, the reality is that microservices based API security isn’t a viable solution in a hybrid, multi-cloud, and highly distributed environment.

Gartner points out that API security should comprise of a continuous three-step iterative process. They go on to describe them as Discover, Monitor and Secure. The order highlights the steps in which a successful API security implementation should naturally follow.


An organization must first discover the APIs that are currently in use because just like Shadow IT, Shadow APIs can be a potential data breach vector; and furthermore, discovery tools should not be limited by the application architecture. Hence a microservices-centric tool will not be an effective discovery tool for hybrid environments – also known as the large majority of enterprise deployments.


Hybrid environments also need a monitoring solution that works across different architecture models, and the monitoring itself should not enforce the adoption of any particular model. Also, monitoring should be a zero-impact to observed systems.


Finally, when it comes to securing APIs, one needs a solution that ensures that all API calls, without exception, can be secured in an end-to-end manner. API security implementation is only incomplete all API calls passing through a particular set of network components can be effectively secured.

In summary, it is not a question if API security should be part of a microservices architecture – it definitely should. However, the microservices API security should be considered as part of the broader Service Mesh API security solution, encompassing all enterprise applications and components, and not as a means to an end.

CloudVector provides the only API security solution that integrates private, public and distributed application environments and provides a single point of control to manage API security at any scale. Furthermore, CloudVector “uniquely” continuously observe APIs at the object-level {payload} to ensure that even data exposed by-design is not leaking private data.

Learn more about our Dynamic API Risk Trackers (DART) And API DLP