APIs (application programming interfaces) have proven perilous for modern enterprises’ identity security platforms. According to identity management and privileged access management solution provider Ping Identity, 25% of surveyed security experts say their enterprise has over 1,000 APIs. 45% say they aren’t confident in their security team’s ability to detect bad actors accessing their APIs. 51% aren’t sure their teams know about all the APIs on their network.
Now a new type of API is proving to be a challenge: REST APIs.
REST APIs are a new form of application access channels, representing the evolution of SOAP-based web services. In general, APIs allow applications’ internal logic, functions, and data to become available to outside clients in a contained and controlled environment, allowing value to be shared among multiple clients. REST APIs are essential to fulfilling the modern enterprises’ bring-your-own-devices culture, as they tend to be much more practical for mobile clients like native iOS or Android.
How can you extend your identity security platforms to your REST APIs? How can your identity security scale with your enterprise perimeter and REST APIs? To answer these questions, we read through the “How to Extend Identity Security to Your APIs” white paper by Ping Identity.
Here are some of our key findings from the “How to Extend Identity Security to Your APIs” white paper:
The Potential Dangers of Rest APIs
According to Ping Identity, in previous security schemes, REST APIs were often authenticated by passwords attached to client calls.
Unfortunately, this password authentication protocol comes with significant privacy issues. Among them is the difficulty in turning off access for a given client if the need arises—a fundamental component of modern identity and access management and identity governance solutions. Instead, shutting off access to REST APIs requires a full password change from users.
In addition, REST APIs stored passwords on mobile devices. However, this creates an identity security policy that cannot scale to accommodate the digital perimeter or the growth of the enterprise.
OAuth, SAML, and OpenID Connect
By contrast, token-based systems tend to scale far better with REST APIs than passwords do; they also tend to be far more secure as an authentication protocol. As a result, new security specifications such as OAuth and OpenID Connect are vital securing REST APIs.
As an example of how this works, Ping Identity takes a closer look at OAuth. OAuth 2.0 is an open standard protocol for authorization replacing usernames and passwords with access tokens.
Instead of presenting user credentials, users can use OAuth to present the token and thus improve their identity security. The APIs will validate the access token and return the information back to the mobile application.
The other benefits of OAuth over simple passwords include providing a granular consent model for enterprises’ identity security, defining multiple methods for acquiring access tokens, and leveraging HTTP headers.