Protect Yourself: Five Fundamentals for API Security
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Will Au of Jitterbit schools us on the fundamentals of API security, including types of attacks and five best practices every team should know.
Data is as prevalent as ever, but with it comes a vital need: security. Data security remains a top priority for businesses, as external economic factors continue to drive organizations’ thought processes and allocation decisions. Reliance on data to innovate and cut costs is leaving many organizations much more vulnerable to cybersecurity breaches than they are currently aware.
As businesses continue to transform their monolithic systems into microservices, APIs play a significant role in helping them do more with less. That said, APIs are prone to their own vulnerabilities that, if left unchecked, can cause a number of issues that negatively affect the bottom line, including downtime, customer dissatisfaction, and damaged reputations.
API Security Fundamentals
Types of API Attacks
There are many ways malicious actors can attack APIs, but some of the most common include the following:
- Distributed Denial of Service (DDoS) Attacks: Perhaps one of the most well-known types of attacks, DDoS attacks request thousands of connects simultaneously. This overwhelms API systems and the backend systems that provide data to the APIs, draining resources and typically resulting in a crash.
- Man in the Middle (MITM) Attacks: Just as the name indicates, MITM attacks are when a third party secretly intercepts the communication between an API endpoint and a client in order to steal or alter sensitive information.
- Token or API key mismanagement: Tokens and API keys are legitimate credentials designed to give users access, but if they’re mismanaged and/or stolen, unauthorized users could gain access to sensitive systems.
- Easy-to-access credentials: Usernames and passwords are often hard-coded into config files, but if they’re not encrypted, there is a high risk they could be compromised.
API Security Best Practices
When used shrewdly, businesses can use a set of best practices to leverage API integration and related technologies to protect themselves against cyber-attacks across three different scenarios.
Assess Your Organization’s Procedures and Infrastructure
It’s vital to know your potential vulnerabilities when it comes to data security. However, this can be understandably complicated considering the growing number of interconnected APIs and microservices utilized across multiple on-premises and cloud environments. There are two main views to gauge initially:
- Customer-Facing APIs: Using APIs, businesses are able to share data with external consumers without giving them direct access to the underlying system or database. For obvious reasons, businesses don’t want people to have full direct access to databases or other internal systems; instead, they want to offer more curated access and expose only certain pieces of information through APIs, such as basic customer location info. In other words, opening up a segment of your database using an API ensures that users don’t have full access to your whole system, but the portion you do expose still needs to be secured.
- APIs for Internal Use: Across all departments, more and more systems are going to the cloud. The barrier to entry to adopt cloud services by departments require less involvement by IT making it much easier for any employee to choose and use ‘best in breed’ cloud services. Rather than granting access to multiple services for all employees in all departments, which becomes an administrative nightmare, it’s important for IT departments to ensure they keep services in sync by using APIs to give access only to what’s needed, and no more.
Failure to account for vulnerabilities in your infrastructure — both internally and externally — leaves you susceptible to attacks. The key here is to work with your internal security and compliance teams to develop a complete set of policies and guidelines. Some organizations may also need to factor in regulatory requirements, such as CCPA in California or HIPAA in the healthcare industry, and make sure security policies are in compliance.
Be Vigilant When Storing Data in the Cloud
There is a sense that by moving to a cloud offering, you are more susceptible to cybersecurity breaches, but this perception comes from the lack of control, visibility and influence. Moving services to the cloud can provide a level of security that can’t be duplicated onsite because most organizations simply don’t have the financial or staffing resources to provide the same level of security benefits. That said, there are ways to increase security in the cloud even further by turning your attention to APIs.
Limit User Access to Relevant Data Only
Different departments and users within an organization need different levels of access to systems and data, but it should be limited only to their specific position and job function. For example, a developer typically doesn’t need full access to the human resources or accounting systems. Limiting access in this way lowers the chances that sensitive data will be accidentally exposed. If, for some reason, a user does need access to a system they don’t typically use, you can create special permissions to give them the access they need for a limited time.
Make Multi-Factor Authentication Mandatory
In today’s environment, basic usernames and passwords are no longer enough. It’s now vital to use standards such as two-factor authentication (2FA) and/or secure authentication with OAuth. To do so, you’ll need to ensure your network supports OAuth 2.0 authentication with endpoints as identity providers.
Use a Keystore for Certificates
When installing applications, be sure to include a trusted keystore with the certificates you need to securely communicate via HTTPS. For example, if you need to allow a local client to communicate securely through a proxy server, you may need to add a new certificate to a Java keystore.
When it comes to security, everything is a potential threat, not just APIs. Anything with an external “surface” or touchpoint is vulnerable. That’s why it’s vital to have a security-first mindset and take a “zero trust” approach. This line of thinking assumes that all traffic, regardless of origin, cannot be trusted. It may sound callous on the surface, but implementing this type of policy is basically mandatory in an era when attackers become more and more sophisticated by the day. This mindset combined with the above best practices give organizations the best chance at securing their data and avoiding a costly attack.