Paladin: A Policy Framework for Securing Cloud APIs by Combining Application Context with Generative AI

TL;DR

Paladin is a security framework that uses large language models to understand application semantics and enforce policies on cloud APIs, enhancing security against application layer threats.

Contribution

It introduces a novel LLM-based approach for semantic understanding in cloud API security, enabling application-agnostic policy enforcement.

Findings

High policy identification accuracy

Broad applicability across different applications

Reasonable performance overheads

Abstract

Enterprises and organizations today increasingly deploy in-house, cloud based applications and APIs for internal operations or external customers. These deployments deal with increasing number of threats, despite security features offered by cloud service providers. This work focus on threats that exploit application layer vulnerabilities of cloud workloads. Prevention and mitigation measures against such threats need to be cognizant of application semantics, posing a hurdle to existing solutions. In this work, we design and implement a security framework that allow cloud workload administrators to easily define and enforce policies capable of preventing (i) unrestricted resource consumption, (ii) unrestricted access to sensitive business flows, and (iii) broken authentication. Our framework, Paladin, leverages large language models to extract sufficient semantic meaning from API requests to provide cloud administrators with an application agnostic policy definition interface. Once defined, requests are automatically matched with relevant policies and enforced by high performance proxies. Evaluations with our prototype show that such a framework has broad applicability across applications, good policy identification accuracy, and reasonable overheads, making it substantially easier to define and enforce cross application policies.