The API Gateway: Is your API Landscape Secure?
APIs — or Application Programming Interfaces — are a strategic necessity in today’s inter-connected world. APIs provide businesses with the agility and speed that is required when it comes to IT integration.
But APIs also present a major risk, with malicious API attacks becoming the most common attack vector as of 2022, according to Gartner. The numbers speak forthemselves: malicious API traffic has increased 117% over the past year, 61% of companies lack any API security strategy, and 94% of organizations have already experienced security problems with production APIs[1].
Cyberattacks on organizations have become inevitable, and, as a result, a zero-trust security model should be adopted by all organizations when it comes to securing applications and data. With API-led architecture becoming universally utilized, API security is of the utmost importance worldwide.
Tools to protect your API landscape
A numberof tools are needed within a security architecture to fully protect an API landscape.
· First, a web application firewall (WAF) is needed to protect the landscape from a variety of application layer attacks.
· Second, a software testing tool is needed to ensure that your APIs perform as intended and look as expected.
· Third, an API security platformis required to cover automated API discovery and threat prevention based on the business context of the individual API.
· Finally, and arguably most importantly, an API Gateway with an API access management solution is required to provide a centralized point of control with closely monitored policies and context-aware access management.
This blogpost focuses specifically on the API Gateway and its crucial role in a modern API security architecture.
How an API Gateway provides security
An API is deemed secure when it is able to guarantee the integrity and confidentiality of the information it processes. Put another way, an API can be considered secure when the information it processes is accessible only to the clients and servers that are authorized to consume it.
An API Gateway is one of the most trusted tools used to protect an API’s infrastructure and to provide a single point of control and security policy enforcement. With AppyThings clients, an API Gateway is utilized as an organization-wide tool that connects all APIs to one another, acting as an API “firewall” and protecting APIs from malicious data, incorrect requests and denial of service attacks. It is a vital tool in the fight against databreaches.
API Gateway options:which is right for you?
API Keys
Description: An API key is a string value passed by a client app to your API that uniquely identifies the client application. API key validation is the simplest form of app-based security that you can configure for an API. A client app simply presents an API key with its request, then the gateway checks to see that the API key is in an approved state for the resource being requested.
Who this is best for: API keys are fast and easy to implement but are not sufficiently secure and for this reason should only be considered when security of the API is not a priority. API keys address Authentication but rarely address Authorization or Least Privilege. In addition, developers often reuse keys between applications makes automatic expiration impossible and rotation challenging. If a key is compromised, or a developer leaves the team, or even if there is a simple copy and paste error in the wrong place, the owners of all impacted applications will be forced to coordinate a simultaneous update.
OAuth 2.0
Description: OAuth2.0 serves as a more advanced approach to granting and protecting API access. In the simplest implementation, an OAuth 2.0 token inherently includes the concept of ‘scoping’ to enable API designers to grant fine-grained permissions to applications. As well, it is designed to expire, therefore has a refresh process built into the specification.
There are four main grant types or interactions an app has to take to gain an access token using OAuth 2.0:
1. Authorization code: This interaction involves the authorization server generating a token after receiving the authorization code. This is considered to be the most secure grant-type.
2. Implicit: This is a more simplified version of authorization code above, where the app resides on the client side.
3. Password: In this interaction, the client is issued an access token when the user's username and password are validated by the authorization server.
4. Client credentials: This is typically used in situations where the client app is acting on its own behalf. This grant type is typically used when the app needs to access a backend data storage service.
OpenID Connect
Description: OpenID Connect is built on top of OAuth 2.0 to provide a Federated Identity mechanism that allows you to secure your API. Apart from OAuth 2.0 access tokens, OpenID Connect uses JWT ID tokens, which contain information about the authenticated User in a standardized format. OpenID Connect, or OIDC, is a protocol that enables different types of applications to support authentication and identity management in a secure, centralized and standardized way. It is a simple identity layer on top of the OAuth 2.0 protocol with optional mechanisms for robust signing and encryption.
From the end-user point of view, the steps involved in an OIDC flow are fairly simple and illustrated below:
Who this is best for: Oauth and OpenID connect are best for organizations that want users to give consent ("i.e. I want to allow this app access to my personal data"). You do not need OAuth2 to generate a JSON Web Token, a Personal Access Token, or a Native Mobile App Session Token.
AppyThings can help
If you find yourself wondering if your API landscape is as secure as you thought, we don’t blame you. Most organizations are unaware of the risks they face prior to an API review. As the leading EMEA in the field of API management, AppyThings brings insight, experience and knowledge to an area often neglected within the broader IT landscape.
If you feel your organization would benefit from an API review, we’d love to help. AppyThings, a best-in-class API-based IT integration service company, is able to review your existing landscape and provide advice on steps you can take to improve your systems.
AppyThings is a premium service partner of Google Cloud/Apigee, Azure, Gravitee, SAP, and Salt Security, and has been on the scene as an API management hyper specialist since 2014. We design and implement API-first best practices that increase your organization's value in today's networked economy. To date, we’ve worked withover 100 organizations in 9 EMEA countries, providing API management expertise.
If you’d like to learn more about how AppyThings can help your company, reach out to Tom Hendrix at tom@appythings.com or give him a call at 32-474-365-980.
[1] https://salt.security/blog/companies-are-struggling-against-a-681-increase-in-api-attacks-the-latest-state-of-api-security-report-shows