Skip to main content
banner image
venafi logo

APIs and Machine Identity: What You Need to Know

APIs and Machine Identity: What You Need to Know

March 29, 2022 | Anastasios Arampatzis

API security is a crucial element of an organization’s cybersecurity strategy. Organizations use Application Programing Interfaces (APIs) to connect the data and functionality of their applications to other internal systems and applications as well as those managed by third-party developers, business partners and other entities. These connections enable different applications to communicate with each other, share data and use common services to help deliver and streamline functionality for users.

The Open Web Application Security Project (OWASP) identifies authentication and authorization attacks as the top two risks for API Security. API authentication and authorization rely on machine identities such as API keys that can be vulnerable to theft and misuse.

Are you facing a machine identity crisis? Venafi can help you out.
What are the authentication and authorization risks to APIs?

Kevin Bocek, VP, Security Strategy & Threat Intelligence at Venafi, noted in a recent webinar that “all businesses are now software companies.” The operations of all of these “software companies” would have been impossible if it weren’t for APIs to connect an increasingly complex web of critical infrastructure. However, when APIs are not properly secured, they can also create risk—they can expose sensitive data including personally identifiable information, resulting in security incidents that can disrupt organizations’ operations. OWASP is right when it says, “Without secure APIs, rapid innovation would be impossible.”

The OWASP API Security Top 10 list for 2019 includes three threats to API security closely related to authentication and authorization.

  • API1:2019 Broken Object Level Authorization. Object Level Authorization is an access control mechanism that confirms a user can’t access objects that they shouldn’t have access to. When an application does not leverage this mechanism properly, broken authorization vulnerabilities can enable an attacker to access sensitive information handled by the app.
  • API2:2019 Broken User Authentication. Poor or weak authentication mechanisms allow attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the user compromises API security overall.
  • API5:2019 Broken Function Level Authorization. Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.

Non-authenticated APIs or APIs with weak authentication mechanisms create security gaps that threaten the confidentiality and integrity of sensitive data communicated over these components. Given that 95% of API exploits are happening against authenticated APIs, it is evident that API security is a challenging topic requiring a lot more than just authentication—a holistic approach that includes extensive runtime protections is essential.

In particular, authentication and authorization are necessary for defending against many security threats today. For example, an external attacker can compromise an account protected with weak authentication controls and abuse a lack of authorization checks to expose information handled by the API. Without proper validation, a malicious insider could do the same thing.

How machine identity management can help secure APIs

APIs, as well as other non-human entities, like IoT devices and containers, need to be properly identified to ensure the authenticity and integrity of communications. It is just as important to validate the identities of APIs as it is for other types of machines. Salt Security, in its API Security Checklist, notes that “When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities.”

APIs need an established identity, which often comes in the form of digital certificates and cryptographic keys. These security tokens enable internet protocols, such as HTTPS and SSH, to validate and authenticate the API’s identity. Once verified, the API can communicate securely with other APIs, establish trust, and gain authorized access to networks and resources.

To keep track of the machine identities of all the APIs they are using, organizations need to ensure that each one has appropriate access permissions. To accomplish this, organizations will need an effective machine identity management program that includes APIs. The scale of API usage, due to digital transformation projects, is driving this need. For example, while a person may need to log in only once to check an online account, behind the scenes, potentially hundreds of machines must achieve authentication to securely fulfill the request.

An important ingredient in effective machine identity management for APIs is the ability to automate machine identities over multiple API gateways. API gateways are important components for digital transformation strategies. API gateways use large numbers of machine identities, TLS keys and certificates, to establish trust and privacy. But API gateways do not include sophisticated machine identity management that would provide security teams with intelligence about how machine identities are being used. Nor do they provide network operations teams with the automation to eliminate time-consuming and error-prone TLS certificate lifecycle functions.

Concluding thoughts

Organizations need a mix of tactics to protect APIs.  Authentication and authorization are just two important components of robust API security and should be leveraged together with controls such as API visibility, baselining API behavior for anomaly detection, and attack prevention to ensure that API-based data and services stay protected.

As far as machine identity management for APIs is concerned, Salt Security paves the path forward: “Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management.”

Related posts

Like this blog? We think you will love this.
Featured Blog

What Is Encryption Key Management?

Why Is Key Manag

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more