How to secure the API-enabled enterprise
- By Jason Macy
- Mar 23, 2016
Application programming interfaces are at the forefront of today’s technology innovations. They allow mobile applications, cloud computing and legacy systems to abstract infrastructure applications and services from the integration points that they serve. API architectures deliver the rapid innovation and agile development that have transformed both corporate and government IT architectures. But despite APIs' ubiquity and unquestioned business value, from a security standpoint they are often overlooked and underprotected.
Business drivers, most notably mobile and cloud computing, have compelled agencies to expose data and applications via APIs. While APIs allow organizations to achieve integrations and enable hybrid clouds, exposing data and applications to unknown or untrusted consumers or partners can result in business disruption and data theft.
Current cybersecurity solutions are designed to protect networks through heuristic learning and rogue behavior detection. However, they are often unaware of the critical aspects of API traffic and are unable to secure API message patterns, thus offering inadequate protection.
APIs by definition are an abstraction from the actual service. Interaction with an API requires a protocol break, which means the information consumers are connecting to the API, rather than to back-end systems directly. But classic cybersecurity doesn’t provide visibility into what is coming in and going out of back-end applications that are fronted by APIs.
Fortunately, the very underlying basis of using APIs is also the foundation that can be leveraged to secure them. Because API communication represents protocol-break transactions, security inspections can only be done at the API layer. Here, the entire bidirectional communication exchange is decoded as actual payload messages with full visibility into the content, which can contain actionable security information such as the identity of the person, device or system as well as the message structure and content. With access to such granular information, API security combines identity information and data payload analysis for far more sophisticated and contextual information assurance and behavior validation.
APIs beget API security
In API architectures, APIs represent well-defined and expected message patterns. Modern APIs have evolved to use industry-recognized messaging standards and protocols, such as SOAP, XML, JSON and REST, commonly over an HTTP-based protocol. These standards help define the expected behavior and usage of the APIs in an enterprise ecosystem. However, “expected behavior” does not always equal “actual behavior.” To ensure that APIs do not deviate from expected behavior and still maintain a low-risk profile, an API strategy must be accompanied by an API security management strategy.
Current cybersecurity implementations do not accommodate the rich formats, protocols and message patterns inherent in API deployments. Organizations with a robust API security management strategy can readily accommodate communication over APIs with diverse message formats and protocols; easily secure information in ways traditional cybersecurity technology cannot; and monitor and enforce that APIs are communicating in the proper manner.
An emerging technology sector, API security management solutions are secure, hardened, commercial-off-the-shelf products designed to unify several distinct requirements for API security. These capabilities include: merging identity access control with cybersecurity analysis; deep content awareness of API message formats at the information context (i.e., actual messages, not just packets); and wrapping these capabilities into repeatable policies that simplify building and enabling API communication. API security management solutions not only provide the logical API to the consumer but also enable the protocol-break inspection that is critical to full message-level inspection behavior monitoring and enforcement.
An understanding of the API -- its full message (request and response) transaction behavior -- is essential to securing it. API security requires the combination of identity access control, data security, information assurance and behavior validation. Without combining identity and security at the API inspection point, gaps can exist where data security and identity are served by different technologies, often at different locations in the architecture that do not correlate a user, system or device with the payloads APIs are receiving and delivering.
To address these gaps and mitigate risks associated with participating in the API economy, agencies must incorporate API security as a part of their cybersecurity strategy. The risk of insecure APIs is not an issue of technology capability, but rather one of failing to properly use existing API security technology. In the modern computing era, API security should be a business use case, not an afterthought.
Jason Macy is the CTO of Forum Systems.