API security is the protection of the integrity of APIs—both the ones you own and the ones you use. But what does that mean?
Well, you’ve probably heard of the Internet of Things (IoT), where computing power is embedded in everyday objects. The IoT makes it possible to connect your phone to your fridge, so that when you stop at the grocery store on the way home you know exactly what you need for that impromptu dinner party in an hour. Or maybe you’re part of a DevOps team, using microservices and containers to build and deploy legacy and cloud-native apps in a fast-paced, iterative way. APIs are one of the most common ways that microservices and containers communicate, just like systems and apps. As integration and interconnectivity become more important, so do APIs.
Businesses use APIs to connect services and to transfer data. Broken, exposed, or hacked APIs are behind major data breaches. They expose sensitive medical, financial, and personal data for public consumption. That said, not all data is the same nor should be protected in the same way. How you approach API security will depend on what kind of data is being transferred.
If your API connects to a third party application, understand how that app is funneling information back to the internet. To use the example above, maybe you don’t care if someone finds out what’s in your fridge, but if they use that same API to track your location you might be more concerned.
Web API security is concerned with the transfer of data through APIs that are connected to the internet. OAuth (Open Authorization) is the open standard for access delegation. It enables users to give third-party access to web resources without having to share passwords. OAuth is the technology standard that lets you share that Corgi belly flop compilation video onto your social networks with a single "share" button.
Most API implementations are either REST (Representational State Transfer) or SOAP (Simple Object Access Protocol).
REST APIs use HTTP and support Transport Layer Security (TLS) encryption. TLS is a standard that keeps an internet connection private and checks that the data sent between two systems (a server and a server, or a server and a client) is encrypted and unmodified. This means that a hacker trying to expose your credit card information from a shopping website can neither read your data nor modify it. You know if a website is protected with TLS if the URL begins with "HTTPS" (Hyper Text Transfer Protocol Secure).
SOAP APIs use built-in protocols known as Web Services Security (WS Security). These protocols define a rules set that is guided by confidentiality and authentication. SOAP APIs support standards set by the two major international standards bodies, the Organization for the Advancement of Structured Information Standards (OASIS) and the World Wide Web Consortium (W3C). They use a combination of XML encryption, XML signatures, and SAML tokens to verify authentication and authorization. In general, SOAP APIs are praised for having more comprehensive security measures, but they also need more management. For these reasons, SOAP APIs are recommended for organizations handling sensitive data.
You probably don’t keep your savings under your mattress. Most people their money in a trusted environment (the bank) and use separate methods to authorize and authenticate payments. API security is similar. You need a trusted environment with policies for authentication and authorization.
Here are some of the most common ways you can strengthen your API security:
- Use tokens. Establish trusted identities and then control access to services and resources by using tokens assigned to those identities.
- Use encryption and signatures. Encrypt your data using a method like TLS(see above). Require signatures to ensure that the right users are decrypting and modifying your data, and no one else.
- Identify vulnerabilities. Keep up with your operating system, network, drivers, and API components. Know how everything works together and identify weak spots that could be used to break into your APIs. Use sniffers to detect security issues and track data leaks.
- Use quotas and throttling. Place quotas on how often your API can be called and track its use over history. More calls on an API may indicate that it is being abused. It could also be a programming mistake such as calling the API in an endless loop. Make rules for throttling to protect your APIs from spikes and Denial-of-Service attacks.
- Use an API gateway. API gateways act as the major point of enforcement for API traffic. A good gateway will allow you to authenticate traffic as well as control and analyze how your APIs are used.
Finally, API security often comes down to good API management. Many API management platforms support three types of security schemes. These are:
- An API key that is a single token string (i.e. a small hardware device that provides unique authentication information).
- Basic Authentication (APP ID / APP Key) that is a two token string solution (i.e. username and password).
- OpenID Connect (OIDC) that is a simple identity layer on top of the popular OAuth framework (i.e. it verifies the user by obtaining basic profile information and using an authentication server).
When you select an API manager know which and how many of these security schemes it can handle, and have a plan for how you can incorporate the API security practices outlined above.
Data breaches are scary, but you can take steps toward better security. APIs are worth the effort, you just need to know what to look for. Red Hat publishes an annual Red Hat product risk report, which outlines global security vulnerabilities affecting enterprise software, and Red Hat's solutions for our products. A lot of it comes down to continuous security measures, asking the right questions, knowing which areas need attention, and using an API manager that you can trust. We are here to help.
At Red Hat, we recommend our award-winning Red Hat 3scale API Management. It includes:
- An API manager which manages the API, applications, and developer roles
- A traffic manager (an API gateway) that enforces the policies from the API manager
- An identity provider (IDP) hub that supports a wide range of authentication protocols
At the API gateway, Red Hat 3scale API Management decodes timestamped tokens that expire; checks that the client identification is valid; and confirms the signature using a public key.