What's the difference between an API gateway and XML gateway?

Question

I'm studying for the CCSP exam and am confused on the difference between an "API gateway" and "XML gateway". The training material I have states:

API gateways are also an important part of a layered security model. They can be used to impose such controls on API activity as

• Acting as an API proxy so as to not directly expose the API.
• Implementing access control to the API
• Limiting connections so that bandwidth is available for all applications, which can also help in the event of an internal DoS or DDoS attack.
• Allowing for API logging
• Allowing for metrics to be assembled from API access logs.
• Providing for additional API security filtering.

XML gateways work in much the same way, except they work around how sensitive data and services are exposed to APIs. They can be either software- or hardware-based and can implement some types of data loss prevention (DLP).

And that's it. I still don't get a good sense of what the difference is here. Can someone elaborate, ideally with a practical example?

I asked Mr. Google and got results for an Oracle product/feature but this seems much more like a generic industry tool.

Answer 1

A bit of an artificial distinction in my view. I am guessing that they are considering XML gateways to be document-based whereas they are considering API gateways to be record based. But this really is a guess because I would certainly not have a distinction between them.

An API is simply a documented mechanism for obtaining information via a service. What the API returns is part of the definition. API's might return JSON or XML or some other format, it makes no difference architecturally.

The point about DLP is also incorrect in that there is no reason why DLP shouldn't be applied to any API. However, in practice, DLP is mainly applied to documents (e.g. un- or semi-structured data). It doesn't have to be that way though.

Sorry, I realise that this does not exactly answer your question but hopefully, it at least adds some clarity.

Answer 2

I found a good explanation at: https://www.owasp.org/images/0/0c/InfoSec_World_2007_-_Web_services_gateways.ppt XML gateway is a XML firewall. API gateway can use plugins to do content inspection. it has the capability and is intended to do a lot more. e.g. provide authN and authZ material, host services. its primary purpose is not to inspect messages.