Skip to main content
banner image
venafi logo

Secure APIs: Safety Measurements for Your External Interfaces

Secure APIs: Safety Measurements for Your External Interfaces

secure API machine identity
October 10, 2019 | Waldemar Rosenfeld, Product Manager APIIDA AG

Almost every week it happens: 

The press reports that data had been stolen. Hackers specifically look for security vulnerabilities and, if there are any, they find them. Since APIs act as machine identities that authenticate links between different systems, they enable people and programs to access sensitive data—and are therefore particularly worth protecting. Because APIs have a mutual authentication between both endpoints, central managing and automatic deployment to all endpoints in the systems is a key factor for a permanent secure communication. In this blog post, we look at how you can successfully protect your APIs.

 

 

There is currently no automated solution for machine identities in API gateways. Hear Waldemar on how APIIDA and Venafi plan to change that. 

 

Be prepared!

For protection to succeed, organizations must take precautions:
 

Documenting access routes to data, both internally and externally, is an important first step. In addition, your own resources must be categorized according to their relevance in order to correctly assess potential dangers. In doing so, additional attention must be paid to industry-specific regulations.
 

It is also important that employees are continuously trained by the IT security officer or the CISO so that everyone in the company internalizes the issue of security and reports any security gaps.
 

Reporting should be as simple as possible for the employees, ideally with the help of a so-called bug bounty program. Here the reporting of discovered security gaps is rewarded with financial rewards (instead of penal threats). This attracts so-called white hat hackers, who may then support your own employees in the future.




 


Prioritization: Which APIs are particularly worth protecting?

There are often countless APIs in companies – some of which give people and programs access to highly sensitive data and some do not. Of course, high security requirements apply to the former. But the first thing to do is to identify them! Also, APIs that companies make available to their customers must always deliver data reliably, as well as securely.
 

In order to increase the overall security, it is advisable to set up guidelines, how to secure all APIs in the company:

  • No data transmission without transport encryption via TLS (min. TLS 1.2).
  • Anonymous access only for general APIs that do not require special protection.
  • Data economy: No data is transferred that does not need to be transferred. Customer data should not be filtered using the web application, but already the backend. If your backend doesn’t support this, various API Management solutions can help you.
  • Use of established API management products and their functionalities to protect against standard attack paths such as SQL injection. Furthermore, risk-based metrics such as location or time can be included.
  • Clear code guidelines and applied test structures before APIs are published.

 

In summary, this can be said: APIs that are particularly worth protecting are those that allow access to sensitive data of your company organization (customer data, credit data, …) as well as those that you make available to your customers!
 

Once the most important APIs have been identified in the company, external access must be restricted. The following steps will help here:


1. Identification: Who wants to access the API?
2. Authentication: Can the claimed identity of the person accessing the API be proven?
3. Authorization: Is this identity allowed to perform this access at all?


Proven measures – What you can do:
  1. Use API keys for identification. API keys are long, alphanumeric strings that can uniquely identify a service or a user. Access rights can be easily granted or revoked using API keys. They are easy to manage and an excellent way to determine identities.
     
  2. Basic Authentication is a simple way and often used variant for authentication. For this, a username and password will be used. From a security perspective, however, this is not the best method. If stronger protection measures are needed, federation protocols are recommended. The best known are SAML 2.0 and OAuth2 in conjunction with Open ID Connect. The latter combination is particularly suitable for new developments.
     
  3. Ensure that your WLAN and telecommunication network is securely encrypted. You can guarantee this with TLS and certificates for all connections.
     
  4. The use of quotas is also important. They can be defined based on the API Keys in order to defend from attacks or to prevent faulty applications from gaining access at an early stage.
     


The use of API management solutions such as Broadcom Layer7 API Management in combination with APIIDA API Gateway Manager will also help you to ensure the security of your APIs. Combining the APIIDA solution with Venafi Machine Identity Management for secure communication with verified authentication is the way to secure your APIs.
 

Visit APIIDA on the Venafi Marketplace to download their Adaptable Driver and to learn more about API Gateway Automation integrations for the Adaptable Driver as well as the APIIDA API Gateway Manager integration. 

 

 

Related posts

 

 

Like this blog? We think you will love this.
opencredo-venafi-vault-wizard
Featured Blog

OpenCredo Venafi-Vault Wizard: Bringing InfoSec and Developers One Step Closer

Increasing visibility without slowing down developers

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Waldemar Rosenfeld, Product Manager APIIDA AG
Waldemar Rosenfeld, Product Manager APIIDA AG

Waldemar is Product Manager at APIIDA AG. He is working with Venafi to create an automated machine identity protection solution for API gateways, and is an expert in the field of API and identity access management. Previously he has worked with accessec GmbH as a consultant and and has been a software developer and architect. 

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more