The protection of application programming interfaces (API) has become increasingly important to organizations, largely due to the proliferation of Internet of Things (IoT). Providing everyday objects with internet connectivity offers many benefits, provided their cloud platform supports these capabilities.
For example, today’s software developers develop applications in an iterative way by using tools such as containers and microservices, which require APIs. The incentive to protect APIs thus becomes stronger as the importance of software interconnectivity increases.
Why is API security important?
Organizations routinely use APIs to transfer data and connect to services. APIs therefore pose an attractive target to hackers, making them a common cause of major breaches of sensitive data such as medical and financial records. Not all APIs should be protected in the same way, as the best approach to API security depends on the type of data the API handles. For example, an API that tracks your physical location should have greater security than one that tracks the contents of the refrigerator.
Open Authorization (OAuth) is currently the open standard for delegating access to web APIs, which handle the transfer of data through APIs to the internet. It allows users to grant access to web resources to third parties without needing to share passwords with that party. APIs are usually implemented as Representational State Transfer (REST) or Simple Object Access Protocol (SOAP) APIs.
REST APIs
REST APIs primarily rely on Hypertext Transfer Protocol Secure (HTTPS) and Transport Layer Security (TLS) for encryption, which is often used to protect credit information on shopping websites. This approach to security keeps Internet connections private, while also ensuring that the data sent between two systems remains encrypted and unmodified. A URL that begins with the string “HTTPS” is protected in this manner. REST APIs also use the file format JavaScript Object Notation (JSON), which makes it easier to transfer data with web browsers. The combination of HTTP and JSON eliminates the need for rest APIs to store or repackage data, making them faster than SOAP APIs.
SOAP APIs
SOAP APIs use Web Services Security (WS Security) to make themselves more secure. These built-in protocols use a set of rules to provide confidentiality and authentication for the data these APIs handle. SOAP APIs support standards developed by major international organizations such as the Organization for the Advancement of Structured Information Standards (OASIS) and World Wide Web Consortium (W3C). They also verify the authentication and authorization of users through a combination of Security Assertion Markup Language (SAML) tokens, the Extensible Markup Language (XML) tokens and XML signatures.
SOAP APIs generally have more comprehensive security than REST APIs, although they also require more management. SOAP APIs are therefore most often used to handle particularly sensitive data.
Best Practices
The best practices in API security generally relate to the development of a secure operating environment that separates authentication and authorization. For example, an API gateway is typically used to enforce API traffic by authenticating it and controlling the use of the APIs. Signatures ensure that only authorized users are able to decrypt and modify data. Tokens also establish trusted identities, while controlling access to services and resources.
Additional best practices in API security include the identification of vulnerabilities in API components, drivers, networks and operating systems. Packet sniffers are especially useful in tracking data leaks, which are a common source of vulnerabilities. Quotas on calling an API can help identify when that API is being abused intentionally by an attack or inadvertently by a programming bug. Rules on throttling API calls can protect them from Denial-of-Service (DoS) attacks and traffic spikes.
Data Protection and Privacy flickr photo by Cerillion shared under a Creative Commons (BY) license
