Despite increasing cloud adoption, many organizations continue to operate with hybrid multicloud strategies. According to the 2026 State of Application Strategy Report, 93% of organizations now run hybrid environments, with 86% deploying apps across on-premises, public cloud, and colocation infrastructure.
But the blend of environments isn't uniform across organizations. In highly regulated industries like banking, healthcare, and government, as well as in regions with strict data sovereignty laws, a significant portion of apps and sensitive data remains on-premises or even in completely air-gapped environments.
Not all apps and data are moving to the cloud
Why? A growing array of concerns—including compliance mandates, security, cost management, and resilience—are driving organizations to retain hybrid and on-premises app architectures. Regulatory frameworks such as the Digital Operational Resilience Act (DORA), Network and Information Systems 2022/2555 (NIS2), the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and emerging national sovereignty mandates demand strict governance over where data resides and how it's controlled. These regulations often necessitate storing critical apps and sensitive data within enforceable local boundaries.
Additionally, organizations are reevaluating the economics of the cloud. Challenges like rising consumption costs, data egress fees, and operational complexities are leading some workloads to transition back to on-premises or private cloud environments for greater predictability, oversight, and cost efficiency.
AI-driven workloads are further accelerating this trend. As the size of datasets grows, the cost and risks associated with moving data between environments increase. "Data gravity" is pulling compute closer to data already stored on-premises, reinforcing architectures that prioritize sovereignty, governance, performance, and security.
On-premises doesn’t mean "safe"
Keeping apps and data on-premises or air-gapped doesn’t inherently eliminate all security risks. In fact, internal APIs often suffer from reduced governance and visibility, creating vulnerabilities that can be exploited.
Internal APIs are the critical lifelines of modern apps (both private and public), connecting internal systems, applications, and data. However, unlike public-facing APIs, internal APIs can fly under the radar without sufficient monitoring or protections.
This security oversight makes them attractive targets. Bad actors, including malicious insiders or external attackers, can exploit vulnerabilities like weak access controls or insufficient authentication, leading to:
- Lateral movement within the network, granting access to sensitive systems and data.
- Privilege escalation, enabling attackers to control critical resources.
- Operational disruptions that harm critical workflows.
- Large-scale theft of sensitive information, including personal identifiable information (PII) or intellectual property.
Powering the flow of data between applications and systems, internal APIs form the backbone of modern digital operations—and require the same rigorous protection as their external counterparts. Neglecting these APIs could become an organization's Achilles' heel, allowing attackers to move unseen within critical systems, accessing and exfiltrating sensitive data completely unnoticed.
Addressing the hidden risks of internal APIs
F5 understands the significant risks associated with internal APIs, which is why it has developed a tailored solution: F5 API Security Local Edition.
This new deployable software solution helps organizations discover APIs and analyze API activity within local environments without relying on external connectivity or cloud-based services.
It provides critical visibility, governance, and oversight for APIs operating in air-gapped, regulated, or cloud-constrained environments. Organizations with deployed F5 BIG-IP appliances or software can gain actionable insights into their APIs—including potential security risks—through existing traffic paths.
Designed to run entirely within containers on an organization’s own infrastructure, API Security Local Edition offers lightweight, passive API discovery based on traffic-derived API data sampled from BIG-IP. It is purpose-built for air-gapped environments, with local storage, analysis, and operational control that requires no external connections to operate. It provides organizations critical API security capabilities deployed anywhere—be it within their data center(s), private cloud(s) and/or air-gapped environments. The solution gives them critical visibility and oversight to protect APIs that enable important systems, workflows, and access to or transmission of sensitive data—reducing opportunities for unauthorized access, unknown lateral movement, or data theft within their critical app ecosystem(s).
Secure and control internal APIs
In today’s complex application ecosystems, securing private, internal APIs is no longer optional—it’s essential. API security risks persist even in on-premises data centers, private clouds, and air-gapped environments. Just like their external/public APIs, neglected internal/private APIs can become hidden vulnerabilities, putting your most critical systems and sensitive data at risk.
Don’t let the illusion of security for these APIs become your Achilles’ heel. Discover how API Security Local Edition empowers organizations like yours to gain crucial visibility, governance, and control over API activity across these important environments.
To learn more about API Security Local Edition, read the solution overview. Also, be sure to check out our press release.
About the Author
Related Blog Posts
Kubernetes-native WAF for the gateway era: F5 WAF for NGINX now integrates with F5 NGINX Gateway Fabric
F5 extends WAFs to deliver consistent, scalable protection across clusters and environments with F5 NGINX Gateway Fabric and F5 NGINX Ingress Controller.
From dashboard fatigue to operational excellence: Why XOps needs F5 Insight for ADSP
Learn how F5 Insight for ADSP lays the visibility foundation for XOps—turning fragmented signals across applications and infrastructure into actionable intelligence.
The hidden cost of unmanaged AI infrastructure
AI platforms don’t lose value because of models. They lose value because of instability. See how intelligent traffic management improves token throughput while protecting expensive GPU infrastructure.
Govern your AI present and anticipate your AI future
Learn from our field CISO, Chuck Herrin, how to prepare for the new challenge of securing AI models and agents.
F5 recognized as one of the Emerging Visionaries in the Emerging Market Quadrant of the 2025 Gartner® Innovation Guide for Generative AI Engineering
We’re excited to share that F5 has been recognized in 2025 Gartner Emerging Market Quadrant(eMQ) for Generative AI Engineering.
Self-Hosting vs. Models-as-a-Service: The Runtime Security Tradeoff
As GenAI systems continue to move from experimental pilots to enterprise-wide deployments, one architectural choice carries significant weight: how will your organization deploy runtime-based capabilities?