In recent years businesses have changed their ways in which they engage, connect with, and serve customers. Application programming interfaces (APIs) allow applications to connect, and API-first development helps enterprises to provide connected experiences to their users and enter into software ecosystems. Nowadays software ecosystems cover billions of users along with opportunities for unprecedented economies of scale. Business opportunities started largely rely on digital connections that makes each point of interaction a potential source of business leverage and a potential source of risk. In this blog we discuss about various security considerations for APIs.
Why API Security Important ?
Enterprises have long relied on security techniques such as “Walled Garden” that no longer provide sufficient protection now. We have web applications that offer connected customer experiences include multi cloud services or assemble software from multiple companies. Network perimeter concept no longer applicable to those applications. So digital connections or APIs between applications need to be managed and secured. At the same time developer flexibility to build connected customer experience should not be compromised.
Here, what we require is a “no trust” environment that could identify any threat comes from any communication and enabling those communication with little friction. Even though business opportunities posed by APIs are exciting for enterprise leaders and connected experience is attracting consumers, the way this connected experience is built has changed the enterprise security landscape. A robust security layer can be built by leveraging APIs. But enterprises have to execute it well. Existing security methodologies are giving more opportunities to attackers as they don’t address well the issues posed by today’s technology landscape. Nowadays APIs are among the biggest emerging attack vectors for attackers due to inconsistent precautions.
Conventional API Security Models
At the beginning web applications used cookies and network perimeter for security. Gradually web applications became more complicated. In a later stage developers started using reusable components and all the components were deployed as a single application in the same container. Then sticky sessions came into practice for helping enterprises to manage scale. Multi tier architecture provided scalability along with better digital experiences. However the security paradigm always had a reliance on the network perimeter. A dominant security technique was “Walled gardens”.
Today, the situation has changed. Enterprises are trying to provide the experiences that customers demand. However traditional application development techniques cannot support it. Modern application development approaches along with agility and feature richness they provide do not support fading security methods. Modern applications are developed by many pieces attached via APIs. UI and business logic are detached. Components of user experience may be deployed inside the enterprise and outside. Now applications are being developed differently for richer experiences and faster, more responsive development. So it obviates many aging security approaches.
For faster and more efficient application development, businesses started investing on microservices. In microservices architecture servers are embedded to the applications. Now tasks such as authentication, authorization, and session management which were previously handled by application servers have come to each microservice. End user experience relies on component interactions and hence those interactions need to be secured.
Concept of network perimeter is meaningless in modern distributed architectures like Multi Cloud. An API layer can make interactions between users and backends secure. Irrespective of the location where an API is deployed, it should be managed and secured.
Make Every Interaction Secure
APIs should be well consistent, intuitive and well documented. Such well designed APIs will be easy to consume for developers. APIs should be thought of as products that helps developers to work responsively and agilely. Also makes leveraging of digital assets easier.
- Stick on to basics
By following basic best practices, a strong software architecture can be established from the beginning and future complications can be mitigated. Apart from rudimentary testing, code and security reviews need to be conducted to find vulnerabilities before they make any impact and to ensure that security defects identified in one part of an API program are documented and don’t reoccur in another part. Helpful API users can find many security problems.
- Trade off between protection and ease of use
APIs normally expose an organization’s valuable data and functionality. Each API needs to be secured. Digital ecosystems and trillions of interactions across billions of endpoints are fueling the business. Curbing the developers for protecting an enterprise will defeat the whole point. To mediate access, monitor usage, automate sign up, onboarding, authentication, and education API management can be used.
- User Authentication
End user and application authentication should be properly provided by secured APIs. OAuth is widely used for API security and it enables token based authentication and authorization. OAuth provides limited access to a protected resource without requiring user login credentials.
OAuth permits a client that interacts with an API, to get a token for some credentials. Token gives the client access to the API. A single application on a single device can be identified by a token. Compared to password scope of the access is limited. Applying OAuth is difficult. API team should have a clear understanding of OAuth capabilities and and authentication best practices. For all critical applications OAuth authentication needs to be built.
OAuth can support application credentials for server-to-server interaction and in this scenario API has to verify both user and application. Absolute protection is not feasible here as anyone with application credentials can access and exploit it. Implementing API monitoring along with other management capabilities is a solution for this.
Though there are many ways to use OAuth, businesses can use API management platforms to generate OAuth tokens to have a granular control over the token. Such platforms can also implement concepts such as Role Based Access Control which assigns different levels of API access and privileges to user types.
- Validate Use Input
APIs need to ensure that user inputs that match expected parameters only are allowed. Implementing input validation is a best defense against SQL injection, cross-site scripting and other common threats. OpenAPI or Swagger specifications can be used to define input and output of APIs with uniform input validation processes. Also consistency can be achieved by using shared libraries and some API management platforms offer policies for input validation. Validation behavior needs to be monitored and reported to help understand the attacker’s methods.
- Use TLS for data in transit
“Transport Layer Encryption” is a cryptographic protocol that ensures API interactions use https. TLS helps to protect network traffic using an encrypted channel between server and client. It is the easiest method to ensure sensitive information is secured from attacks while data is in transit. In many ways TLS is the foundation of API security.
- Monitor and analyze API traffic
Monitoring is essential for protecting APIs and its supported connected experiences. Operations team can notice peculiar situations which are not detected by security professionals while monitoring traffic. If any signs of abuse are watched, API team can revoke access of users who are breaking the rules to protect the digital assets. Monitoring can find patterns by mining API traffic and convey it to stakeholders. It will help to keep APIs online and its security to another level. Monitoring helps IT operations teams to make near real-time decisions.
Additionally, Analytics understands what is trending and the information is used to improve decision-making. same traffic data mean that API monitoring and analytics solutions are applied on same traffic data and can support predictive analysis, diagnostics, alerting, and actionability. API management platforms can help business to take actions based on traffic data and analysis.
- Use rate limits
Applying rate limits is an additional API security. This is very useful against brute-force attack. Rate limits help to keep control of digital assets and secure supported customer experiences and privacy when such attacks occur. API management platforms offer rate limits using which API team can set threshold that triggers spike arrest to protect backends from the attacks.
- Identify and block bad bots
Good bots are useful for API-powered connected experiences, however bad bots are a threat to a connected digital ecosystem. Bad actors also tries to leverage automation. Businesses should be able to identify where the API calls are coming from. Is it from a legitimate users or not ?
- Prioritize usability of API management capabilities
One objective of API management and security is to regulate distributed digital assets in a unified way. The health of an API program often relies on effective handoffs between security and operations teams. API management platform capabilities such as monitoring and analytics should be assessed as they can actually expedite solutions to business problems. Dashboard and reporting capabilities must provide a quick insight as well as granular view of the details.
Safeguard The Business
To assess the strength of a business’s API security, a range of capabilities need to be considered:
- Governance and compliance: Regulatory standards and encryption must be met and basic complications need to be avoided.
- Authentication: Enterprise should be able to control API accesses.
- Automated bot protection: Enterprise should be able to control what the user is allowed to do.
- Anomaly detection: Suspicious behavior should be detected automatically.
- Protection of backends: Automatic detection of problems and application of solutions.
- Quick optionality and actionality: Enterprise should quickly isolate and remediate problems.
Security and agility must be balanced and businesses want to provide connected experiences to customers should not prioritize one over the other. Each API and interaction need to be secured and at the same time users should get enough flexibility to interact. Businesses that provide connected experiences to their users by leveraging APIs should put themselves in the best position to grow.