API Security for SMEs

Mansfeld-Südharz, Germany - November 28, 2025

No million-euro gateway required, just hardened code and a county-wide safety net

The average machine-tool shop in Sandersdorf still routes invoices through a 2014 ERP plug-in that speaks XML over port 8080, wrapped by nothing more than basic auth and hope. Ask the owner why he hasn’t bought an enterprise API gateway and he will show you a P&L where IT must compete with a new CNC spindle. That conversation used to end with a shrug; today it ends with a pull-request. Over the past twelve months the Cyber Resilience Alliance has distilled the minimum viable stack—proxy, identity, schema guard, audit trail—into a set of Helm charts that run on a 40-watt mini-pc inside the factory office. Total hardware cost: 189 €. Total licence cost: zero. The same pattern now protects 1 300 endpoints across 87 county SMEs, and every new onboarding takes less time than a coffee break.

The architecture begins with Envoy, not because it is fashionable but because its configuration surface is plain YAML and its binary footprint fits the memory left over after the CAM software has eaten its share. We ship a county-curated build that bundles the Lua filter we call “Schema-Shield”: it parses incoming JSON against an OpenAPI contract that the SME uploaded once, hashes the payload minus any PII, and emits a one-line log that can be shipped elsewhere or simply stored locally for seven years to satisfy German tax law. If the request violates the schema—extra fields, type confusion, string longer than expected—the filter returns 400 and closes the connection without invoking the backend, which means a 20-year-old PHP script is never asked to defend modern attack grammars. The filter also strips authentication headers after validation, so the legacy service continues to believe it is 1999 while the outside world talks OAuth 2.1 and mTLS.

Identity is handled by a slimmed-down Keycloak that we pre-configure with a federation hub already trusted by the county’s citizen-service portal. An SME does not manage users; it simply adds its domain to the existing realm and inherits MFA, step-up auth and a privacy dashboard that exports audit trails in DATEV format. The critical piece is that the realm runs on a separate TPM-bound VM inside the same sovereign cloud that hosts the Alliance SOC, which means credential material never leaves German jurisdiction even if the company later opens a sales office in Asia. Revocation propagates in under 200 ms because we replaced Keycloak’s built-in cache with a NATS stream that fans out to every Envoy node, so when the works council disables a dismissed employee the token is void before he reaches the parking lot.

Policy-as-code enters through Open Policy Agent, but we removed the Rego learning curve by shipping a library of canned rules that cover the 90 % case: rate-limit per IP and per token, whitelist of allowed HTTP verbs, blacklist of known malicious regexes scraped from our own SOC feed, and a size cap on request bodies that defaults to 256 kB—large enough for invoices, small enough to block most file-drop attempts. The rules are versioned in a public Git repository; an update triggers a GitHub action that builds a new OPA bundle, signs it with the county’s code-signing key and pushes it to an S3-compatible bucket. Envoy pulls the bundle every thirty seconds, so a new rule written at 14:00 is enforced plant-wide by 14:01 without anyone restarting a service or touching the factory floor. Because the bundle is signed, a miscreant who manages to pop the bucket cannot inject policy; he can only deny updates, which triggers an alert anyway. The result is that security policy evolves faster than business logic, which is exactly the inversion most SMEs need but cannot afford.

"We don’t sell API security; we sell the reflex of updating it faster than the attacker updates his payload."

Logging and metrics are the final glue. We run a single-instance VictoriaMetrics TSDB that keeps 18 months of high-cardinality data on a 500 GB NVMe drive the size of a chocolate bar. Every log line from Envoy, Keycloak and OPA lands here via Vector, a lightweight rust shipper that can buffer to disk if the network glitches during a night shift. A set of Grafana dashboards—pre-built, dark-theme, printable for the works council—shows request volume, error ratio and token-age histograms. More importantly, the same database feeds an anomaly detector that learns the weekly cadence of each plant: if the presses usually rest on Sunday and suddenly 4 000 POST requests arrive at 03:00, the system fires a webhook to the Alliance SOC and simultaneously pages the plant manager via the same SMS gateway that already warns when the coolant temperature spikes. The fusion of OT and IT alerting cultures is subtle but decisive: security events are handled with the same gravity as a broken spindle, which means they are actually handled.

What makes the blueprint replicable is not the software itself but the packaging. Every component is pinned to a specific major version; every container image is mirrored into a registry hosted inside the county datacentre; and every Helm value has a commented default that references the local context—SMTP relay, syslog server, backup window. An SME downloads a single values.yaml, edits five lines, runs helm install and is production-grade in eleven minutes. We keep a public runner that tests the entire stack nightly against the latest upstream tags, so the maintenance burden is effectively socialised: when Envoy releases a CVE the patch lands in the county registry before breakfast and the plant’s morning shift applies it during the scheduled maintenance slot they already use for firmware. The county thus behaves like an unpaid but well-equipped MSP, and the SMEs accept the implicit social contract: share your anonymised telemetry, receive zero-day patches for free.

The measurable outcome is difficult to dispute. In the last rolling quarter the 87 member plants fielded 43 million API calls, of which 1.2 million were blocked by schema violations and 14 000 triggered rate-limit caps. More importantly, not a single ransomware sample managed to pivot from a compromised reseller portal into the ERP layer, something that happened twice in 2023 and cost two weeks of downtime each. Insurance underwriters have taken note: the regional broker pool negotiated a 12 % reduction in cyber premiums for factories that can show a Grafana screenshot proving continuous OPA enforcement. That rebate alone covers the hardware cost in less than eighteen months, which means the economic argument no longer depends on idealism but on cash flow. Once security becomes a profit centre, procurement stops being a battle and turns into a routine, and that is the final security control: habit.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.