API security is a crucial element of an organization’s cybersecurity strategy. Organizations use Application Programing Interfaces (APIs) to connect the data and functionality of their applications to other internal systems and applications as well as those managed by third-party developers, business partners and other entities. These connections enable different applications to communicate with each other, share data and use common services to help deliver and streamline functionality for users.
The Open Web Application Security Project (OWASP) identifies authentication and authorization attacks as the top two risks for API Security. API authentication and authorization rely on machine identities such as API keys that can be vulnerable to theft and misuse.">
Kevin Bocek, VP, Security Strategy & Threat Intelligence at Venafi, noted in a recent webinar that “all businesses are now software companies.” The operations of all of these “software companies” would have been impossible if it weren’t for APIs to connect an increasingly complex web of critical infrastructure. However, when APIs are not properly secured, they can also create risk—they can expose sensitive data including personally identifiable information, resulting in security incidents that can disrupt organizations’ operations. OWASP is right when it says, “Without secure APIs, rapid innovation would be impossible.”
The OWASP API Security Top 10 list for 2019 includes three threats to API security closely related to authentication and authorization.
Non-authenticated APIs or APIs with weak authentication mechanisms create security gaps that threaten the confidentiality and integrity of sensitive data communicated over these components. Given that 95% of API exploits are happening against authenticated APIs, it is evident that API security is a challenging topic requiring a lot more than just authentication—a holistic approach that includes extensive runtime protections is essential.
In particular, authentication and authorization are necessary for defending against many security threats today. For example, an external attacker can compromise an account protected with weak authentication controls and abuse a lack of authorization checks to expose information handled by the API. Without proper validation, a malicious insider could do the same thing.
APIs, as well as other non-human entities, like IoT devices and containers, need to be properly identified to ensure the authenticity and integrity of communications. It is just as important to validate the identities of APIs as it is for other types of machines. Salt Security, in its API Security Checklist, notes that “When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities.”
APIs need an established identity, which often comes in the form of digital certificates and cryptographic keys. These security tokens enable internet protocols, such as HTTPS and SSH, to validate and authenticate the API’s identity. Once verified, the API can communicate securely with other APIs, establish trust, and gain authorized access to networks and resources.
To keep track of the machine identities of all the APIs they are using, organizations need to ensure that each one has appropriate access permissions. To accomplish this, organizations will need an effective machine identity management program that includes APIs. The scale of API usage, due to digital transformation projects, is driving this need. For example, while a person may need to log in only once to check an online account, behind the scenes, potentially hundreds of machines must achieve authentication to securely fulfill the request.
An important ingredient in effective machine identity management for APIs is the ability to automate machine identities over multiple API gateways. API gateways are important components for digital transformation strategies. API gateways use large numbers of machine identities, TLS keys and certificates, to establish trust and privacy. But API gateways do not include sophisticated machine identity management that would provide security teams with intelligence about how machine identities are being used. Nor do they provide network operations teams with the automation to eliminate time-consuming and error-prone TLS certificate lifecycle functions.
Organizations need a mix of tactics to protect APIs. Authentication and authorization are just two important components of robust API security and should be leveraged together with controls such as API visibility, baselining API behavior for anomaly detection, and attack prevention to ensure that API-based data and services stay protected.
As far as machine identity management for APIs is concerned, Salt Security paves the path forward: “Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management.”