There is a requirement that we have a means for non-appian users to create new accounts in the application I am working on. Since Appian does not appear to have any built in means of allowing this, the current workaround is to make a web API that connects to an external site and kicks off a process model which can make new users. This kind of makes us nervous (particularly since there is no way to delete unnecessary users in Appian), so we added an admin approval step before the actual user creation stage, but we're still a little nervous about potential DDoS attacks and the like. Is there an in-Appian method to limit how often an API gets accessed? And if not, is there some other best practice to prevent attacks on Appian APIs?
Discussion posts and replies are publicly visible
In a typical enterprise scenario, you would put an API gateway in front of your Appian environment. This layer is meant to cover DDOS, throttling and defence in general.
Hi both,
Despite of having an API gateway, if your Appian install is public (internet) facing, how do you restrict from Appian that only the gateway will be accessing the ./webapi/... URL path?
Is there a way to restrict the incoming IPs, or similar to your APIs (from inside Appian, I know that we can configure our networks, Cloud, etc. to make those restrictions)
I'm more concerned in the mere exposure rather than the identification of the requester. E.g. prevent DDOS, as in general, APIs can be much abused than regular user navigation.
Regards,
here's a more direct and robust approach:
Implement Endpoint Authentication and Authorization in Appian: Within your Appian application, enforce authentication and authorization mechanisms directly on the API endpoints themselves. This can be achieved by implementing a custom authentication scheme or by leveraging Appian's built-in security features.
API Key Management: Generate unique API keys for each client or application that needs access to your API endpoints. Require clients to include these API keys in their requests for authentication purposes. Manage and validate these API keys within your Appian application to ensure that only authorized clients can access the API.
IP Whitelisting and Rate Limiting at the Gateway Level: Configure your API gateway to whitelist only specific IP addresses that are allowed to access the API endpoints. Additionally, implement rate limiting rules at the gateway level to restrict the number of requests per IP address within a certain timeframe. This helps in mitigating DDoS attacks and excessive usage.
Use Role-Based Access Control (RBAC): Utilize role-based access control mechanisms within your Appian application to define and enforce access policies for your API endpoints. Only users with the appropriate roles and permissions should be able to access sensitive or restricted endpoints.
Implement WAF and DDoS Protection Services: Deploy a Web Application Firewall (WAF) in front of your Appian application to inspect and filter incoming HTTP traffic. Additionally, consider utilizing DDoS protection services provided by cloud service providers or specialized security vendors to mitigate large-scale DDoS attacks.
Monitor and Audit API Access: Implement logging and monitoring mechanisms to track and audit API access in real-time. Monitor for any suspicious activity, such as unusual spikes in traffic or unauthorized access attempts, and take proactive measures to mitigate potential threats.
Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration testing exercises to identify and address potential vulnerabilities in your API endpoints and overall application security posture. Address any security findings promptly to minimize the risk of exploitation.
By implementing these measures, you can significantly enhance the security of your API endpoints within Appian and mitigate the risks associated with unauthorized access, DDoS attacks, and abuse. Additionally, it's essential to stay informed about the latest security threats and best practices in API security to adapt and strengthen your defenses accordingly.
Thanks Manish for your quick response.
I really love extended responses like yours.
Going back to my question, I'm not concerned on user authentication (1,2 and 4) and I'm looking for a pro-active approach (where 6 and 7 are reactive).
I'm looking for configurations at Appian level, not in network devices (like 5).
I saw that, in cloud installations, we can request Appian support to configure those restrictions. Is this what you are referring on 3? For on-prem installs, could you please elaborate on option 3?
(I presume that, for cloud installs, what Appian does is configure their FW to prevent those unauthorised requests reaching your /webapi/xxx site)
Is this AI generated? If so, would you mind pointing this out?