Today, applications integrate with others through JSON, GraphQL, Falcor, Blockchain, etc. It is essential to ensure that data is secured both at rest and in transit. Also, some regulations require proper documentation in addition to secure transactions. For example, “Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.” Of course, most integrations happen through the Internet, so it is critical to ensure Web APIs (application programming interfaces) are secured. Web API security is concerned with the transfer of data through APIs that are connected to the internet. OAuth (Open Authorization) is the open standard for access delegation. It enables users to give third-party access to web resources without having to share passwords. OAuth is the technology standard that lets you share that Corgi belly flop compilation video onto your social networks with a single “share” button.
For security teams, the challenge is figuring out how to get real-time visibility into these ephemeral workloads as they are harder to monitor. Further, the volume of first and third-party APIs that have access to organizational data is multiplying by the second, creating additional risk for a data breach attack. In fact, the number of new API vulnerabilities grew by 4% in 2020, with sensitive data exposure ranking as the most common vulnerability. With that context, it is clear to see why data breaches originating at the application layer are a growing trend. Without effective layers of security to monitor or block malicious activity from edge to application or API through to the data store, how can organizations possibly keep up with security?
Here are some of the most common ways you can strengthen your API security:
- Use tokens. Establish trusted identities and then control access to services and resources by using tokens assigned to those identities.
- Use encryption and signatures. Encrypt your data using a method like TLS (see above). Require signatures to ensure that the right users are decrypting and modifying your data, and no one else.
- Identify vulnerabilities. Keep up with your operating system, network, drivers, and API components. Know how everything works together and identify weak spots that could be used to break into your APIs. Use sniffers to detect security issues and track data leaks.
- Use quotas and throttling. Place quotas on how often your API can be called and track its use over history. More calls on an API may indicate that it is being abused. It could also be a programming mistake such as calling the API in an endless loop. Make rules for throttling to protect your APIs from spikes and Denial-of-Service attacks.
- Use an API gateway. API gateways act as the major point of enforcement for API traffic. A good gateway will allow you to authenticate traffic as well as control and analyze how your APIs are used.
Finally, API security often comes down to good API management. Many API management platforms support three types of security schemes. These are:
- An API key that is a single token string (i.e., a small hardware device that provides unique authentication information).
- Basic Authentication (APP ID / APP Key) that is a two-token string solution (e.g., username and password).
- OpenID Connect (OIDC) that is a simple identity layer on top of the popular OAuth framework (i.e., it verifies the user by obtaining basic profile information and using an authentication server).