More and more companies are relying on public, partner or private APIs. The aim: to increase efficiency. On the other side of the coin, poorly configured APIs or APIs developed too quickly also represent an open door into an organization's IT network.
A cloud is nothing more than a collection of APIs (programming interfaces) and services. This combination makes it possible to create cost-effective, scalable and innovative platforms. We've entered an economy.
Published in early 2018, an Imperva study of 250 IT security professionals stated that, on average, companies manage 363 different APIs, and two-thirds (69%) expose APIs to the public and their partners. For 61% of companies surveyed, APIs are essential to their business strategy.
They have even become part of our daily routine, and we use them almost daily, without always realizing it. They are used not only in processing public data (branch addresses, transport timetables, etc.), but also personal data (fitness tracking, Ameli and CAF applications, etc.) and sensitive data (DSP2, online purchasing, industrial information on the move, etc.).
So much data is constantly being exchanged. The only downside is that data security and operational transparency remain difficult obstacles to manage. Leveraging corporate data via APIs in private/public cloud environments without adequate identity, access, vulnerability and risk management controls exposes these data sources to potential security breaches.
Increasing number of API security vulnerabilities
The situation is all the more worrying as the list of companies with API vulnerabilities continues to grow. Security flaws due to poor API design have multiplied in recent years. However, the alarm had already been sounded in 2017. For the first time, the category of under-secured APIs entered the OWASP (Open Web Application Security Project) Top 10.
What are the consequences of an API flaw? Cybercriminals can infect corporate networks. Not secure enough, APIs can lead to data leaks. With the RGPD coming into force in May 2018, companies must therefore implement suitable procedures.
In particular, this regulation imposes the notion of Privacy by design. In a nutshell, right from the design stage of an application, a website or a connected object, and thus of an API, developers (in close collaboration with other professions, and in particular marketing) must limit processing to personal data "strictly necessary for their activity". Confidentiality must also be ensured.
But API security is complicated to implement. Although there are design trends common to many APIs, each API infrastructure works differently, even if most use the REST (Representational State Transfer) architecture or the SOAP (Simple Object Access Protocol).
There is no "miracle solution" that will work for all of them. What's needed is a methodical approach to implementing security processes adapted to the architecture used to access a web service.
A multi-cloud approach
A number of suppliers offer a wide range of API management capabilities in the cloud. But as companies increasingly opt for the multi-cloud, it's not advisable to rely on the tools of a single provider. If your API connects to a third-party application, you also need to consider how that application redistributes information to the Internet.
For access delegation, there's an open standard called OAuth (Open Authorization). It enables users to grant third parties access to web resources without having to share their passwords.
In the end, securing them requires a succession of ingredients, from the most basic to the most elaborate, while taking into account needs and context. They must be managed, governed and secured with basically the same policies across the various platforms and entities in the domain.
All companies should apply these basic rules to strengthen the security of their APIs:
- Strengthen user authentication
- Encrypt API keys
- Limiting the rate of deployment
- Identifying them
Remember that safety must be global to be effective!
