What is Pangea?
Pangea is a collection of security services, all API-based, that can quickly and easily be added to any cloud application. These services and APIs are embedded into an application's runtime code. There is more on application runtime below. The purpose of Pangea is to make available to any app builder a wide selection of security services so that builders can easily embed security into their applications. It's similar in nature to AWS for Compute APIs, Twilio for Communications APIs, Stripe for Billing APIs. And now there is Pangea for Security APIs.
Here is the list of services Pangea will be making available initially:
- Secure Share
Over time there will be more services delivered, including partner services. It's also cost-effective to get started. There is a generous free tier for each service, with pay-as-you-go pricing beyond the free tier.
How you use Pangea
With Pangea being a cloud-based platform and set of services, everything starts with registering for an account. This will automatically create an organization and project for you in the cloud operating region you select. Pangea has a generous free tier; therefore, no credit card is required to use Pangea. For expanded usage, you may need to enter a credit card.
Next, you will need to select a service you want to integrate into your application. When you instantiate or configure that service, you obtain a token for that service. The token is used to authenticate your application to the service and, more specifically, authenticate to your instance or configuration of the service. You'll need to include this token in the API calls made by your app against the service. Each API call will return JSON, where the response contents are specific to the API that was executed. Your application code will then process the JSON contents.
These generic steps are repeated for each service you choose to use from Pangea.
What's happening behind the scenes?
While your application simply makes a single API call against a service, the Pangea infrastructure manages the rest. Pangea's microservice architecture includes an API gateway for routing requests and responses, billing and metering, authentication, and of course, the components to support the services of interest (e.g., Secure Audit Logging, Redact, Embargo).
These components are available in many CSPs and regions across the world, and are responsible for fulfilling the request quickly, in the geographic territory that you've configured. The benefit to a builder with this is that Pangea manages the complexity of things like GDPR data residency, service resiliency, redundancy, regional availability, and performance – so you don't have to.
What's a service, why do you build it, and why do you care?
The term service can carry many meanings in different contexts. Pangea itself is a service. However, an application builder is not integrating Pangea specifically. Instead, a builder will integrate one or many of the services that are hosted on the Pangea platform.
Application builders use Pangea because it accelerates the delivery of their applications and increases inherent security in the application by way of using Pangea's API-driven security services rather than building and staffing in-house.
Pangea also helps builders become compliant faster. Becoming compliant in GDPR, SOC2, PCI, HIPAA, and ISO27001 is hard and takes a lot of time, especially when you are building an application from scratch. The security services and APIs from Pangea can help remediate any gaps in your compliance assessment.
A word about integrating in Application Run Time:
Application security and the term "security APIs" are growing in definition and can be confusing. In Pangea's context, we're specifically suggesting an approach where a builder is putting security services, via API, inline with application code that is invoked during the application runtime. This is effectively embedding security directly into an application. Let's be clear about what this does not mean - this is not about securing the application development process or the build time of an application. Here are some great examples to illustrate what we mean by integration in the application run time:
- Each time a user logs into a builder's application, embed in the application code a reputation check against their origin IP address. This reputation check is executed at run time.
- Each time a file is exchanged in a file sharing transaction, embed in the application code a file detonation procedure against the file being exchanged. This file detonation is executed at run time.
- Each time a patient record is accessed in a healthcare application, embed in the application code a logging event call to a tamperproof audit logging service.