Jump to Content
API Management

Better protect your web apps and APIs against threats and fraud with Google Cloud

April 22, 2021
https://storage.googleapis.com/gweb-cloudblog-publish/images/gcp_WAAP.max-1500x1500.jpg
Varsha Datta

Security and Compliance Specialist

Ann Wallace

Security Practice Lead, Google Cloud

With web applications and public APIs becoming increasingly important to how organizations interface with their customers and partners, many are turning to dedicated tools that can help protect these assets. As research firm Gartner notes in its 2020 report “Defining Cloud Web Application and API Protection Services,” “By 2023, more than 30% of public-facing web applications will be protected by cloud web application and API protection (WAAP) services that combine DDoS protection, bot mitigation, API protection and web application firewalls (WAFs). This is an increase from fewer than 10% today.”1 Currently, most of these services come in the form of different point solutions for different types of threats. This leads to gaps in protection and increased acquisition and operational costs. 

To tackle these challenges, Google Cloud has launched a security solution, Web App and API Protection (WAAP), which provides comprehensive threat protection for your web applications and APIs. 

Google Cloud WAAP is based on the same technology Google uses to protect its public-facing services against web application exploits, DDoS attacks, fraudulent bot activity, and API targeted threats. It represents a shift from siloed to unified application protection, and can deliver improved threat prevention, greater operational efficiencies, and consolidated visibility and telemetry. It also provides protection across clouds and on-premises environments.

Google Cloud WAAP combines three leading products to provide comprehensive protection against threats and fraud: 

Google Cloud Armor, which is part of Google Cloud's global load balancing infrastructure, provides WAF and anti-DDoS capabilities, protecting applications against the Open Web Application Security Project (OWASP) Top 10, sophisticated application exploits, and both volumetric and layer 7 availability attacks. 

Apigee, Google Cloud’s API management platform, provides API lifecycle management capabilities, with a heavy focus on security. The solution verifies API keys, generates and validates OAuth access tokens, rate limits traffic, enforces quotas, and provides analytics on API trends. 

reCAPTCHA Enterprise provides transparent protection from fraudulent activity, spam, and abuse like scraping, credential stuffing, automated account creation, and exploits from automated bots.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Google_Cloud_WAAP_solution_high-level_arch.max-2000x2000.jpg
Google Cloud WAAP solution high-level architecture

“I’ve seen our customers benefit greatly from each part of Google Cloud WAAP, and now that it’s a packaged solution,  we can bring a more comprehensive security solution to a broader set of clients much faster.” said Miles Ward, CTO of SADA Systems. “SADA is excited to partner with Google to bring this outstanding security solution to our customers’ mission critical projects.”

How WAAP is helping customers today 

The following two scenarios showcase how a bank and an airline are using Google Cloud’s WAAP solution to address their heightened security needs. 

Balancing security requirements with ease of use
A bank is launching a new microservices based payment app and, due to the architecture of the application, it exposes several APIs which need to be protected. Three different teams are involved and have different priorities that need to be balanced.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Balancing_security_requirements.max-2000x2000.jpg

Google Cloud’s WAAP solution allows different teams at the bank to collaborate closely to fulfil their requirements using one solution and one vendor. 

Managing OWASP Top 10 Web Application Security Risks
An airline needs to protect its reservation website from OWASP Top 10 Web Application Security Risks. Preventing attackers from utilizing leaked or stolen email addresses and passwords to gain unauthorized access (credential stuffing) is a priority. Their APIs are used by 3rd party travel sites for making reservations, therefore the airline also needs to be able to manage authentication and authorization of their public APIs.

The airline uses the Google Cloud WAAP solution, implementing Cloud Armor as a WAF, Apigee as the API management layer, and reCAPTCHA Enterprise to defend against credential stuffing.

https://storage.googleapis.com/gweb-cloudblog-publish/images/WAAP_Architecture.max-2000x2000.jpg
Google Cloud WAAP solution workflow

Let’s take a look at the workflow of this request with the Google Cloud WAAP solution.

  • The first point of contact on the WAAP solution is Cloud Armor. Cloud Armor protects against OWASP Top 10 vulnerabilities like cross-site scripting (XSS), SQL Injection (SQLi) etc and also provides protection against L3, L4, and L7 DDoS attacks. 

  • If none of the above rules are triggered on the Cloud Armor policies, a request is sent to the reCAPTCHA Enterprise API to evaluate whether the incoming traffic is a legitimate request or not [Machine bot vs. Human]. If it is a legitimate request, then the request is forwarded to the airline’s backend. If the request is not a legitimate one, then Cloud Armor has the ability to deny the request by sending a 403 response code to the user. Further, Cloud Armor can take more intelligent actions like redirecting to a different page or forwarding the request to a honeypot. 

  • For any API requests, once the Cloud Armor OWASP rules and DDoS protection has been evaluated, the request is then forwarded to Apigee to check the validity of the API request. Apigee is now able to determine if the API keys or access tokens used in the request are valid and that the consumer has access to the API or not. If Apigee determines the request to be a non-legitimate one, Apigee can serve a 403 response code to the end user otherwise, Apigee will forward the request to the Airline’s backend.

For all requests being made to the airline’s reservation website, the WAAP solution is the first point of contact and can detect and mitigate bad actors at the edge before the request even reaches the airline’s backend.

As more and more organizations accelerate their digital transformation journey, and as business processes and commerce rely more on digital interactions, the need for heightened levels of security and protection has risen significantly. Moving to a unified application protection like Google Cloud’s WAAP solution can help organizations deliver improved threat prevention, greater operational efficiencies, and consolidated visibility and telemetry, in record time.  

Get started using WAAP today 

For more details on how Google Cloud can help with comprehensive web app and API protection, check out our WAAP solution page, watch our on-demand webinar on App Modernization and Protection, and read our whitepaper written by Enterprise Strategy Group on Meeting the challenges of securing modern web applications with WAAP.


1. Gartner, Defining Cloud Web Application and API Protection Services, Jeremy D'Hoinne and Adam Hils, Refreshed 20 May 2020.

Posted in