When We Talk About API Security

APIs have changed the way that businesses operate, both at the functional level, and in the opportunities they have opened. Our customers are doing innovative things with their data and intellectual property – extending it to partners and customers, making it usable to developers, and making it available to create more users, all done through the functionality and flexibility provided by APIs.

The reality is that when you expose that data, you potentially run the risk of it being made available in unintended ways. Hackers are getting more creative in how they exploit applications that don’t take care to secure their data assets, and recent examples of data security breaches have highlighted the frightening outcomes of various attacks. Just look at the damage done by data breaches at Facebook, Twitter and Snapchat, and then consider the magnitude of the NSA security leak scandal. The important premise here is that the more that data can be used in the pursuit of opportunities, there’s a direct and exponential increase in the potential for security issues.

There is general agreement that an API is an essential tool to help communicate data, communicate, and transact commerce. It has rapidly become one of the most important elements in an organization’s arsenal of business and technology tools. But just as the use of APIs have become more widespread, so too is this need to address security. We’ve long been proponents of security being a foundational element of your API strategy, and it’s interesting to see some of our colleagues discussing a variety of security topics at this week’s RSA Conference. The themes touch on a broad range of security issues and demonstrate the intensity with which organizations are evaluating and executing security strategies.

But it’s important for any organization to ensure they focus their efforts. “Securing” everything and mindlessly applying protection where it isn’t needed can render your API and related apps either sterile or useless. What you need and want is a smart approach that allows the right people to interact with the right data at the right time. That should be balanced with the optimal set of tools and processes that batten down the hatches on any other attempts at exploiting holes in the application layer.

We think it’s important to make sure you have the high-level thinking down so you can really benefit from the good thinking going on among these security specialists. We think that API security should, at its most basic, start with an emphasis on these things:

WHO: Clearly stated, you need to know, manage and administer who accesses your applications. Seems simple enough, but the myriad security standards make it difficult to understand what makes most sense for you to ensure proper authorization. We recommend using OAuth as the underlying element of your access and authorization control. Our OAuth Server is more than an out-of-the-box solution for access control and ID management. We developed it into a completely flexible solution that enables the integration and usage of work that’s already been completed by other development teams in order to integrate with existing security efforts.

WHAT: What is it that needs to be protected? There is no definitive answer to that, because companies view their data according to their own guidelines as well as their need to comply with industry and governmental standards. In other words, the data and type of information that needs to be protected is unique to each situation. Furthermore, having a variety of applications, or different accessibility levels means that you might need to manage your security in different ways and according to different requirements. What’s needed is a strategy for protecting against DoS, SQL, injection, HTTP parameter stuffing, JavaScript and other types of attacks, so irrespective of the data you’re securing, you have a comprehensive plan.

HOW: Management of all the elements of your API and its related security is crucial. We recognized early on the need for a centralized and comprehensive way to manage security, mediation, integration and all the related elements of API’s collaborating. Our API Gateway includes a variety of key elements to ensure security, all of which are based on our practical experience with customers. It has threat protection features that detect and prevent denial of service attacks, poorly performed messages or excessive XML/JSON depth and breadth. It supports a variety of authorization and authentication schemes, and can easily integrate with legacy security systems with our OAuth Server. And because we’re well aware of the need for continuous uptime, we provide uniform admin and management tools to operate your unified gateway fabric.

API Gateway was updated last year, and in this release are elements that address specific functional security issues, including a content firewall that defends against malicious content-like viruses (or malformed JSON or XML data structures), support for SSL & TLS with comprehensive key and certificate generation, distribution and management using built-in PKI services, extensive support for standards like OAuth, SAML, SHA, LDAP, Kerberos, HMAC, X.509 certificates, WS-Security and SSL client authentication, and is now PCI DSS 2.0 compliant.

What’s ultimately needed is a strategy and a plan for enterprises to secure their data in a comprehensive, integrated and manageable API security solution. Flexibility is key as well, since no API exists as an independent attribute. A solution requires the ability to be able to integrate and mediate capabilities delivered to and from the cloud, on-premise, on mobile devices; essentially, anywhere and everywhere the end-user will be consuming and transacting with your data and applications.

Written by Roberto Medrano