5 Best Practices for API Security
Even if, technically, data is “not the new oil,” it is the essential ingredient for fueling machine learning and AI algorithms. Without an ongoing flow of clean data, innovation at all levels including smart cars, smart cities, and smart hospital rooms is not possible. All of the fanfare surrounding AI will prove to be an empty fantasy if the “intelligent” systems don’t have the requisite data available.
Enter APIs, the communication connectors and data transmitters (i.e., between client and server). The apps on our phone, along with every IoT or IIoT device, are reliant on these interfaces to quickly send and receive data: Tweets, Facebook messages, checking the weather forecast, booking an Airbnb, and making a payment through PayPal are API-based functionalities. These potentially valuable data points are then stored in the providers’ database(s).
Due to the data deluge and its high profitability (e.g., marketing and advertising departments can create individualized consumer experiences, and enterprises can more rapidly develop new products) all companies, regardless of the industry, have increasingly offered APIs as a way to generate revenue via API access services. Companies such a Deutsche Bank, Visa, Mercedes-Benz, Salesforce, Google, and Twitter have created a variety of API types for developers.
However, APIs have several vectors that are vulnerable to hackers. These can be grouped into three entry points: identity attacks, parameter attacks, and man-in-the-middle attacks. Each of these has additional attack vectors embedded within them.
Furthermore, both the EU and individual states within the U.S. have implemented data protection regulations (or laws) that levy penalties against companies who either fail to comply or fall out of compliance. Thus, API security measures are a must. The API security best practices described below are a sample of the many ways you can prevent a security breach. While not exhaustive, they are widely used within API security.
5 API Security Best Practices
Multifactor Authentication (MFA)
Who is trying to gain access? You need to know who is requesting entry to your system and ensure they are who they claim to be. Simple access via username (UN) and password (PW) generation isn’t enough as these can be auto-generated repeatedly, thereby rendering this type of authentication as meaningless. Plus, should a breach occur, it’s highly unlikely you’ll be able to source the perpetrator.
Implementing MFA includes delivering a single-use token via a push notification, SMS or voice activation. From there, the user is authenticated based on the UN, PW, and token or digital key authentication. This, however, is only one layer of your API security protocol at the identity level.
OAuth2 is an authorization access delegation framework on top of which other authentication protocols can be built. For example, OpenIDConnect, UMA 1.0 and 2.0, and IndieAuth use OAuth2 as their underlying architecture. Several benefits of utilizing OAuth 2 are:
- Simplifies authorization for API access;
- Protects the owner’s account credentials, e.g., UN and Password;
- An OAuth2 token limits access to certain resources, and for a specific duration, rather than giving carte blanche access to all of the owner’s resources for an unlimited amount of time;
Keep in mind the emphasis here is OAuth2 as a “framework” for authorization, it’s not an out of the box system for user authentication. In comparison, OpenIDConnect is an authorization protocol that gives the added benefit of your being able to identify and verify who is requesting access, also referred to as federated authentication. The best approach for your API access point security is to first authenticate the user and then authorize access.
Digital signatures and certificates introduce yet another security tier for your APIs. More specifically, digital signatures are analogous to a digitally encrypted “fingerprint” and serve as a verification that the “messages” sent from the user, via a known app, are a. authentic and b. haven’t been tampered with.
Although digital signatures by themselves aren’t 100% assurance of a secure API ecosystem, when used in conjunction with other encryption protocols (e.g., digital certificates and public-key cryptography), they will make it more difficult for successful identity and man-in-the-middle attacks to manifest. This doesn’t mean that attempts won’t be tried; but, intelligent use and layering of these protocols can thwart those attempts.
Quotas, Throttling, and Rate Limits
Using quotas, throttling controls, and rate limits is another proactive method for preventing attacks that attempt to overwhelm and weaken your system (think in terms of DDoS attacks). All major tech enterprises have enacted either quotas, throttling or rate limits for their APIs.
API Quotas generally restrict the total number of API calls that can be conducted in a given session, i.e., per day, per month, etc. These restrictions can also incorporate a per-user or per-application maximum. Throttling, on the other hand, constrains the API user to a certain number of requests at one time. For example, Sears API Throttling limits users to a set amount of information that can be requested in a single API call on a per hour and per seller basis. They’ve also set a rate limit whereby users cannot exceed 500 requests per minute.
As previously described, this helps avoid the risk of a DDoS attack but also prevents honest users from consuming massive amounts of computational resources which may obstruct or slow down other users’ API access.
Identify and Test Your Vulnerabilities
Nothing in the digital or physical world is ever “set it and forget it.” Everything degrades over time and our fellow human beings have the wretched habits of theft and destruction. Therefore, you need to penetration test your own system on a regular basis; this includes your backend (e.g., network, operating system, drivers), application layer(s), and the API itself (e.g., functionality issues, injection vulnerabilities, data leakage or exposure, authentication and authorization weaknesses, etc.).
When it comes to security surveillance and perpetual vigilance, APIs aren’t any different from the other components of your IT infrastructure. Undoubtedly, they are pipelines into your network, even if confined to a limited aspect.
With the increasing sophistication of ML and AI, which can be leveraged for either positive or negative purposes, intelligent cybersecurity tools are on the increase. The above described best practices will also continue to evolve along with technological innovations. But, the initial “baking in” of security within your API architecture and continuous due diligence on your part are still needed to ensure your data, and your users’ data, are contained and shared within a safe environment.