API security is a crucial element of an organization’s cybersecurity strategy. Organizations use Application Programing Interfaces (APIs) to connect the data and functionality of their applications to other internal systems and applications as well as those managed by third-party developers, business partners and other entities. These connections enable different applications to communicate with each other, share data and use common services to help deliver and streamline functionality for users.
The Open Web Application Security Project (OWASP) identifies authentication and authorization attacks as the top two risks for API Security. API authentication and authorization rely on machine identities such as API keys that can be vulnerable to theft and misuse.
What are the authentication and authorization risks to APIs?
Kevin Bocek, VP, Security Strategy & Threat Intelligence at Venafi, noted in a recent webinar that “all businesses are now software companies.” The operations of all of these “software companies” would have been impossible if it weren’t for APIs to connect an increasingly complex web of critical infrastructure. However, when APIs are not properly secured, they can also create risk—they can expose sensitive data including personally identifiable information, resulting in security incidents that can disrupt organizations’ operations. OWASP is right when it says, “Without secure APIs, rapid innovation would be impossible.”
The OWASP API Security Top 10 list for 2019 includes three threats to API security closely related to authentication and authorization.
- API1:2019 Broken Object Level Authorization. Object Level Authorization is an access control mechanism that confirms a user can’t access objects that they shouldn’t have access to. When an application does not leverage this mechanism properly, broken authorization vulnerabilities can enable an attacker to access sensitive information handled by the app.
- API2:2019 Broken User Authentication. Poor or weak authentication mechanisms allow attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the user compromises API security overall.
- API5:2019 Broken Function Level Authorization. Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
Non-authenticated APIs or APIs with weak authentication mechanisms create security gaps that threaten the confidentiality and integrity of sensitive data communicated over these components. Given that 95% of API exploits are happening against authenticated APIs, it is evident that API security is a challenging topic requiring a lot more than just authentication—a holistic approach that includes extensive runtime protections is essential.
In particular, authentication and authorization are necessary for defending against many security threats today. For example, an external attacker can compromise an account protected with weak authentication controls and abuse a lack of authorization checks to expose information handled by the API. Without proper validation, a malicious insider could do the same thing.
How machine identity management can help secure APIs
APIs, as well as other non-human entities, like IoT devices and containers, need to be properly identified to ensure the authenticity and integrity of communications. It is just as important to validate the identities of APIs as it is for other types of machines. Salt Security, in its API Security Checklist, notes that “When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities.”
APIs need an established identity, which often comes in the form of digital certificates and cryptographic keys. These security tokens enable internet protocols, such as HTTPS and SSH, to validate and authenticate the API’s identity. Once verified, the API can communicate securely with other APIs, establish trust, and gain authorized access to networks and resources.
To keep track of the machine identities of all the APIs they are using, organizations need to ensure that each one has appropriate access permissions. To accomplish this, organizations will need an effective machine identity management program that includes APIs. The scale of API usage, due to digital transformation projects, is driving this need. For example, while a person may need to log in only once to check an online account, behind the scenes, potentially hundreds of machines must achieve authentication to securely fulfill the request.
An important ingredient in effective machine identity management for APIs is the ability to automate machine identities over multiple API gateways. API gateways are important components for digital transformation strategies. API gateways use large numbers of machine identities, TLS keys and certificates, to establish trust and privacy. But API gateways do not include sophisticated machine identity management that would provide security teams with intelligence about how machine identities are being used. Nor do they provide network operations teams with the automation to eliminate time-consuming and error-prone TLS certificate lifecycle functions.
Organizations need a mix of tactics to protect APIs. Authentication and authorization are just two important components of robust API security and should be leveraged together with controls such as API visibility, baselining API behavior for anomaly detection, and attack prevention to ensure that API-based data and services stay protected.
As far as machine identity management for APIs is concerned, Salt Security paves the path forward: “Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management.”