Secure your API with a Layer of Indirection
A popular principle among computer scientists states that every problem can be solved by adding a layer of indirection. When it comes to API and cloud security, this principle can work wonders. A layer of indirection (also referred to as a layer of abstraction) in the cloud with security built into the platform can help mitigate threats including the recently discovered “FREAK” SSL/TLS vulnerability, and can ease concerns for enterprises who migrate workload or services to the cloud.
The FREAK vulnerability, which emerged last week, enables attackers to intercept HTTPS connections between vulnerable clients and servers and force them to use “export-grade” cryptography, which can then be decrypted or altered.
With the emergence of threats like this, the ability to configure security at the edge of your enterprise—quickly—has become critical. With API security, the primary goal is to protect the APIs exposed, from your data centers and cloud services, to your developers and partners. So how do you do this, without compromising your application security but allowing app developers to innovate at warp speed?
Here is where applying the principle of indirection to your APIs by using an API management platform offers protection in a seamless way. An API indirection layer with a strong security facade helps developers consume APIs in a frictionless way. It also enables API teams to govern the APIs with consistent security aligned with their enterprise security architecture. The benefits of a secure API facade on your APIs include the ability to:
mitigate any application security weakness by taking advantage of the API management platform's threat protection features, including 2-way TLS, OWASP Top 10 protection, rate limiting, and quota restrictions for private or public apps
provide a strong authentication mechanism using OAuth 2.0 for mobile and web apps, even though your API doesn’t support newer and stronger security protocols
support fine-grained authorization for your APIs for developers and partners without requiring you to redesign your APIs
buy additional time to patch your APIs from zero-day security threats such as Poodle, Ghost, and FREAK attacks; a secure facade facilitates configuration in seconds instead of the days required to code and deploy security controls necessary to protect your vulnerable APIs
So when the next zero-day security vulnerability rears its ugly head, you can simply configure your blacklist to block the vulnerable protocols (such as the Poodle vulnerability in SSL3.0), ban the weak ciphers (like the FREAK vulnerability, which is due to weak export cipher suites), and be assured of your API protection.
The strength of an API security program is not only determined by prevention controls such as OAuth-based authentication, but also your ability to react to new zero-day security threats such as FREAK. We’ll witness more of these attacks; the only way to future proof your security response is to create an architecture that enables you to configure security at the edge of your enterprise in near real-time, without impacting your enterprise’s mission-critical APIs.
Photo: Holly Victoria Norval/Flickr