Almost every week it happens: The press reports that data had been stolen. Hackers specifically look for security vulnerabilities and, if there are any, they find them. Since APIs act as machine identities that authenticate links between different systems, they enable people and programs to access sensitive data—and are therefore particularly worth protecting. Because APIs have a mutual authentication between both endpoints, central managing and automatic deployment to all endpoints in the systems is a key factor for a permanent secure communication. In this blog post, we look at how you can successfully protect your APIs.
There is currently no automated solution for machine identities in API gateways. Hear Waldemar on how APIIDA and Venafi plan to change that.
For protection to succeed, organizations must take precautions:
Documenting access routes to data, both internally and externally, is an important first step. In addition, your own resources must be categorized according to their relevance in order to correctly assess potential dangers. In doing so, additional attention must be paid to industry-specific regulations.
It is also important that employees are continuously trained by the IT security officer or the CISO so that everyone in the company internalizes the issue of security and reports any security gaps.
Reporting should be as simple as possible for the employees, ideally with the help of a so-called bug bounty program. Here the reporting of discovered security gaps is rewarded with financial rewards (instead of penal threats). This attracts so-called white hat hackers, who may then support your own employees in the future.
Prioritization: Which APIs are particularly worth protecting?
There are often countless APIs in companies – some of which give people and programs access to highly sensitive data and some do not. Of course, high security requirements apply to the former. But the first thing to do is to identify them! Also, APIs that companies make available to their customers must always deliver data reliably, as well as securely.
In order to increase the overall security, it is advisable to set up guidelines, how to secure all APIs in the company:
- No data transmission without transport encryption via TLS (min. TLS 1.2).
- Anonymous access only for general APIs that do not require special protection.
- Data economy: No data is transferred that does not need to be transferred. Customer data should not be filtered using the web application, but already the backend. If your backend doesn’t support this, various API Management solutions can help you.
- Use of established API management products and their functionalities to protect against standard attack paths such as SQL injection. Furthermore, risk-based metrics such as location or time can be included.
- Clear code guidelines and applied test structures before APIs are published.
In summary, this can be said: APIs that are particularly worth protecting are those that allow access to sensitive data of your company organization (customer data, credit data, …) as well as those that you make available to your customers!
Once the most important APIs have been identified in the company, external access must be restricted. The following steps will help here:
- Identification: Who wants to access the API?
- Authentication: Can the claimed identity of the person accessing the API be proven?
- Authorization: Is this identity allowed to perform this access at all?
Proven measures – What you can do:
- Use API keys for identification. API keys are long, alphanumeric strings that can uniquely identify a service or a user. Access rights can be easily granted or revoked using API keys. They are easy to manage and an excellent way to determine identities.
- Basic Authentication is a simple way and often used variant for authentication. For this, a username and password will be used. From a security perspective, however, this is not the best method. If stronger protection measures are needed, federation protocols are recommended. The best known are SAML 2.0 and OAuth2 in conjunction with Open ID Connect. The latter combination is particularly suitable for new developments.
- Ensure that your WLAN and telecommunication network is securely encrypted. You can guarantee this with TLS and certificates for all connections.
- The use of quotas is also important. They can be defined based on the API Keys in order to defend from attacks or to prevent faulty applications from gaining access at an early stage.
The use of API management solutions such as Broadcom Layer7 API Management in combination with APIIDA API Gateway Manager will also help you to ensure the security of your APIs. Combining the APIIDA solution with Venafi Machine Identity Management for secure communication with verified authentication is the way to secure your APIs.
Visit APIIDA on the Venafi Marketplace to download their Adaptable Driver and to learn more about API Gateway Automation integrations for the Adaptable Driver as well as the APIIDA API Gateway Manager integration.