5 Ways To Secure Your Business In A Multi-Cloud World
Modern software increasingly lives online, using application programming interfaces, or APIs, to ingest and expose data, stay updated, and generally work more effectively. APIs are great business accelerators with thousands of uses, from drawing on a file of recipes for a grocery website, to attaching a secure payment system to an online retailer, to adding features to existing IT infrastructure.
As they grow in popularity, however, they also move into the crosshairs of bad actors, becoming a new target for security threats.
It’s not a problem when they are managed and configured properly (in fact, they are an important part of a robust enterprise security layer). The problem is precisely that almost every business now must live online, using APIs that exist inside and outside the corporate firewall. This means the old days of putting a secure perimeter around IT assets are over. Acting like they’re not is the real threat.
Enterprises should think of each API as a potential point of business leverage—and a possible point of vulnerability.
How can organizations use modern, API-based development techniques to fuel their businesses while keeping their environments secure? By evolving from a network perimeter model to something that applies security and protection at every point of interaction. Here are five important techniques to help.
1. Balance protection with ease of access
The best security is to lock everything down without giving any access. However, for APIs to provide business value, they need to access useful information and functionality, such as customer data, inventory information, and legacy applications. That means each API is a potential access point that needs to be secured.
The trick is to keep APIs secure while letting individuals who build digital experiences with them move as quickly as they need to, and avoiding heavy-handed policies and highly restrictive access that can derail innovation.
The answer is API management tools, which can mediate access to APIs, monitor their use, and automate developer sign-up, onboarding, authentication, and education. It’s still all too common, though, for businesses to apply these precautions to only some of their APIs. This can be for a number of reasons, including uneven API governance, shortcuts taken to reach aggressive sprint deadlines, the belief that bespoke APIs that aren’t intended for reuse don’t require management, or a combination of many other possible scenarios. While understandable, that’s like putting locks on some windows, while leaving the doors wide open. All APIs should be secured, which means all APIs should be managed.
2. Authenticate the right actors
Properly secured APIs should provide authentication for both end users and applications. The de facto open standard for API security, called OAuth, enables token-based authentication and authorization. This lets end users and applications gain the right level of access to a protected resource without requiring the user to reveal their sign-in credentials. OAuth lets a client who makes an API call exchange some credentials for a token, which gives the client access to the API.
OAuth uses a token that uniquely identifies a single application or user on a single device, while keeping passwords secret. Tokens have scope; they’re a mechanism to limit an application’s access to a user’s account. This is much better than using a password that has wide access. Additionally, the scope and the lifetime of the token itself can be easily limited. It’s a great solution, but to stay secure, API teams need to be familiar with OAuth’s capabilities and the current authentication best practices.
API monitoring and other management capabilities also help to keep APIs safe. For example, some businesses apply features such as role-based access control (RBAC), which assigns different levels of API access and privileges based on built-in user types.
3. Maintain control with effective traffic management
Any API could be subject to a brute-force attack at any time. Bad actors might use automated software to generate a large number of consecutive guesses in an attempt to gain access to protected data, or put extraordinary strain on the back ends by invoking APIs at a throughput beyond what they’ve been deployed for. Such attacks are probably inevitable for successful digital enterprises—in some ways, they’re the cost of doing business. Therefore, API teams should always consider using rate limits and quotas for additional API security.
When these attacks happen, rate limits and quotas help you keep control of your organization’s digital assets and protect your customers’ experiences and privacy. API management platforms that support rate limits let API teams establish thresholds at which spike arrests are triggered, helping to keep back ends from being impacted by unexpected activities. For example, an API team could establish that no one should call an API more than 500 times per second, or that an application is allotted only a certain number of API calls per day.
4. Generate insights via analytics and monitoring
Connected experiences unite digital assets that might actually be distributed across a range of geographies, public and private clouds, and API providers. One goal of effective API management and security is to control this distributed architecture in a unified way.
The health of an API program often relies on effective handoffs between security and operations teams. If reporting capabilities can’t clearly show when a situation calls for one team versus the other, it can be hard to facilitate effective security collaboration.
That makes it important to assess not only whether an API management platform provides monitoring and analytics capabilities, but also whether the integration of these capabilities actually accelerates solutions to business problems.
At the feature level, this means effective reporting and dashboards should provide at-a-glance insights, as well as the ability to drill down for more granular detail. It should be simple to see changes in traffic, including from day to day, week to week, and so on; view patterns across chosen time periods; access information about change management and governance data; and view policy configuration data on a per-API and per-proxy basis.
5. Don’t forget the basics
Just like in the firewall security days, conducting code and security reviews increases the likelihood of finding vulnerabilities before they affect customers. It also helps ensure that security defects produced in one part of an API program are documented and don’t get repeated elsewhere.
IT professionals should also be aware that many security problems are found by helpful API users. Another best practice, then, is to establish channels for users to report issues, have a program to develop fixes and roll them into production, and to check with the person who filed the bug to confirm the issue has truly been resolved.
In today’s complex world, network perimeters no longer contain all the experiences and interactions that drive business. To account for this fundamental change, enterprises should think of each API as a potential point of business leverage—and a possible point of vulnerability. Done right, a business can end up even more secure than it was when it hid behind a firewall and hoped for the best.
For a deeper dive on applying security and protection at every point of interaction within a connected experience, get Google Cloud’s free ebook, “Securing APIs in the Age of Connected Experiences.”