Do you know the difference between the deflector and the shield? If so, you can proudly call yourself a Star Trek® fan. Without getting into too much detail, they both serve one purpose, the integrity of the space ship and security of the crew on it. The navigational deflector makes sure the ship travels safely though space, even at warp speed, protecting it from the space debris while the shield established a multi-layer protection field in case of an attack.
Similarly, API Gateways use a threat protection layer to make sure the mediation layer doesn’t have to deal with the network debris also known as unwanted traffic. This layer protects the rest of the gateway against DoS attacks, malicious content, viruses etc. Essentially, nothing suspicous shall pass.
When an API call successfully gets through the protection layer, it’s still subject to API access control and protection policies. The gateway’s mediation layer makes sure the client is authenticated (we know them) and authorized (we allowed them) to use the API. Many other things happen to make sure they use the API in a way it was designed for (validation policies) etc.
Just like the deflector and the shield, these two layers together constitute a holistic API Security solution in API Management. They can additionally be augmented by specialized API security solutions or application security solutions like WAFs.
Shields up! Red alert! 