API is a set of functions that is used to manage and interact with the cloud services provided by Cloud Service Providers. Security of cloud services depends on the security of API’s. These interfaces must be designed protectively in order to provide Secure Cloud services.
Insecurity in API is due to poorly written code, which makes both application and underlying data at risk. The potential API attacks fall can fall some of the following categories,
- Parameterization attacks using techniques such as SQL Injection and Script injection.
- Identity based attacks this includes App ID, device ID and user ID.
- No encryption and key management challenges
- Man in the Middle Attacks.
The threats / vulnerabilities in cloud security due to API are SQL Injection, Bound or Buffer Overflow, API Keys, Improper configuration of SSL/TLS and leaving API open or unprotected.
The rise of Cloud computing platforms such as Amazon, Azure, IBM, Salesforce, Service now and soon, and Internet of Things (IoT) has enabled different types of users, applications and devices (such as servers, mobile phones, laptops, cars, and smart homes) in various parts of the world to communicate with each other via Application Program Interface (API).
Availability of these connected devices and the enterprise applications deployed within cloud providers are dependent upon these API’s, if these APIs are not secured using mechanisms such as encryption, authentication, access control and logging monitoring then it could get exposed to malicious activities performed by hackers which could outages to enterprise computing environments and also potential reputation and financial impact to the organisation.
API is a relatively newer technology but they have the same risks that the Internet faced in early days (for example, SQL Injection). The developers have even came up with the countermeasures to cope up with such attacks but similar security threats has migrated into applications and looking forward to revive as more organisations publish Internet facing APIs linked directly into their internal application infrastructures.
Every API is unique and carries a unique risk, based on its implementation. This seems to make the API security impossible. The potential attacks against the APIs fall into the categories listed below:
- API Parameterization attack utilizes the data sent into API, including URL, query parameters, HTTP headers and post content.
- Identity based attack utilizes the flaws in authentication and authorization
- Man in the middle attack intercept, alter or reply to genuine & authentic transactions and can extract confidential information (personal data) and
- Weak or no encryption and poor key management.
SQL injection is a classic parameter attack as observed already which causes the potential hijacking of session tokens. Bound or Buffer Overflow is also a parameter attack. This attack utilizes the system by providing it data more than the expected range or type, which leads to system crash and offer access to memory space.
Identity and session risks are mainly due to the bad practices originating from the migration of Web development community to API development. Many applications publishing APIs require clients to use an API key to access to their functionality. But API keys should never be used as a substitute for user credentials when authorising access to APIs. Unfortunately many apps make highhanded use of API keys as they were securely-stored shared secrets.
APIs are subject to increased risk when the transmission is not encrypted or signed or when there is a problem setting up a secure session. If an API is not using SSL/TLS for data transmissions between a client and the API server is very vulnerable to man in the middle API attack.
As API is suspected to be vulnerable to a wide range of attacks we are depending on some of the defensive strategies that are used to overcome those attacks. They are as follows:
Threat Protection Mechanisms
- Deep Payload inspection and threat prevention for API protocols such as REST
- Parameter validation
- Protect against SQL injection, XSS and DDoS.
Identity and Access Management mechanisms which
- Supports for SSL etc..
- Support for SAML, LDAP, OAuth, API Key Authentication etc.
- Access Enforcement by authentication and authorization and risk policies with integration with identity platforms such as Azure AD, IBM Tivoli and Okta
- Encryption of PII information and management of keys
Security Logging and Monitoring
- Auditing and Logging for compliance
- Real time monitoring and alerting against potential threats