How to: Protect Your LLM APIs with Apigee & Model Armor Video Walkthrough

Introduction

The transformative power of Generative AI and Large Language Models (LLMs) is undeniable. We're seeing incredible innovation as businesses integrate these technologies into their applications. However, this exciting frontier also introduces critical considerations around security, safety, and manageability, particularly when exposing LLM capabilities through APIs.

As we've been working with customers here at Google Cloud, a common theme emerges: how do we embrace the potential of LLMs while mitigating the inherent risks? That's where the powerful combination of Apigee, Google Cloud's API management platform, and Model Armor, Google Cloud's dedicated AI safety guardrail service, comes into play.

The Dual Challenge: LLM Power and API Vulnerabilities

LLM APIs present a unique duality. On one hand, they unlock unprecedented opportunities for customer interaction, automation, and insights. On the other, they can become new attack vectors if not properly secured. Concerns like prompt injection attacks (a significant OWASP Top 10 risk for LLMs) and the potential for generating harmful or inappropriate and sensitive content are top of mind for organizations venturing into this space.

Apigee: Your Strategic Control Point for LLM APIs

For those already leveraging Apigee to manage their traditional APIs, extending its capabilities to your LLM workloads offers a familiar and robust solution. Apigee acts as a vital control plane, providing:

• Robust API Gateway Capabilities: Serving as the first line of defense for your LLM endpoints, managing traffic, and enforcing policies.
• Enhanced Security Posture: Implementing authentication, authorization (coarse or fine grained access control), and threat protection to safeguard your LLM APIs from common web vulnerabilities.
• Intelligent Traffic Management: Optimizing performance through routing and caching strategies.
• Cost Governance: Enabling the enforcement of usage limits to manage the operational expenses associated with LLM consumption.
• Comprehensive Observability: Providing insights into API usage, performance, and potential issues.

Introducing Model Armor: Layering in AI-Specific Safety

While Apigee provides a strong foundation for API security, Model Armor adds a crucial layer of intelligence specifically designed to address the unique safety challenges posed by LLMs. This fully managed Google Cloud service acts as a dedicated guardian for your AI applications by meticulously screening both incoming prompts and outgoing responses.

Think of Model Armor as your AI-aware security expert, offering:

• Model and Cloud Agnostic Protection: Designed to work with a wide range of LLMs (like Gemini, Llama, GPT-4) and across different cloud environments.
• Proactive Safety Measures: Identifying and mitigating risks like prompt injection attempts before they can be exploited.
• Content Policy Enforcement: Ensuring that LLM-generated content aligns with your organization's standards by filtering out harmful, inappropriate, or unwanted responses.
• Sensitive Data Protection (DLP): Preventing the accidental or malicious leakage of sensitive information within LLM interactions.
• Detection of Malicious/Sensitive Content: Identifying potentially harmful URLs and screening PDF content for malicious and sensitive elements.

The Synergistic Power of Apigee and Model Armor

The true strength lies in the seamless integration of Apigee and Model Armor. Apigee provides the framework for API management and policy enforcement, while Model Armor brings the AI-specific intelligence to analyze the content flowing through those APIs.

Here's a glimpse into how they work together:

1. A user's request, containing a prompt for the LLM, is routed through Apigee.
2. Leveraging Apigee's flexible policy engine (currently via the Service Callout policy), the prompt is sent to the Model Armor’s sanitizeUserPrompt REST API for inspection/sanitization.
3. Model Armor analyzes the prompt for potential security and safety risks.
4. The (potentially sanitized) prompt is then forwarded to the designated LLM.
5. The LLM generates a response, which again passes through Apigee.
6. Apigee, through another Service Callout policy, sends the LLM's response to the Model Armor’s sanitizeModelResponse REST API for analysis.
7. Model Armor evaluates the response against your defined safety policies.
8. Based on Model Armor's findings, Apigee can enforce policies to allow, block, or even modify the response before it reaches the end user.
9. Apigee can log the Model Armor response whenever it detects such content which can help with some additional analysis for tuning, updating the template, etc

We're particularly excited about the upcoming release of a dedicated Apigee Model Armor policy, which will further streamline this integration and make it even easier to implement robust AI safety measures.

Securing Your AI Future, Today

As you embark on your generative AI journey, prioritizing security and safety is paramount. Apigee and Model Armor provide a comprehensive and integrated solution to address these critical needs. By leveraging the API management expertise of Apigee and the AI-specific protection of Model Armor, you can confidently build innovative applications while safeguarding your organization and your users.

Stay tuned for more updates on the dedicated Apigee Model Armor policy. In the meantime, we encourage you to explore the capabilities of both platforms and discover how they can empower your AI initiatives.

Learn More:

• Explore Apigee: https://cloud.google.com/apigee/docs/api-platform/get-started/what-apigee 
• Discover Model Armor: https://cloud.google.com/security-command-center/docs/model-armor-overview 
• Watch the youtube video aligned with this article here: How to: Protect Your LLM APIs with Apigee & Model Armor
• To try this out yourself check : Apigee & Model Armor Sample
• Watch our webinar on Building and Scaling Generative AI with Apigee API management: Building & Scaling Generative AI with Apigee API Management

We're excited to see the innovative and secure AI applications you'll build with Apigee and Model Armor!