API security for connecting the enterprise cloud
In this interview, Don Bergal, COO at Managed Methods, answers questions regarding security around API based connections between an enterprise and the hybrid cloud.
What technology changes are making this important now?
Application Programming Interfaces (APIs) are the glue that connects enterprises to Cloud. While they may not know it, IT teams are already surrounded by API traffic. It is becoming rare to find IT organizations that are not impacted by increased use of APIs to their enterprise cloud. Whether sending claim data to an external billing company, responding with product availability to a reseller, or provisioning virtual cloud servers, all of these operations are based on a series of API message exchanges between organizations.
IT teams must meet the conflicting requirements of ensuring security when conducting business with systems in their hybrid cloud, but also facilitating and promoting business agility. Shutting down the flow to outside servers is not a viable option.
What is a RESTful API?
API growth is tied to the exploding use of REST APIs. REST, or Representational State Transfer, is a framework for exposing application services via simple web URLs. It is similar to the web service architectures begun a decade ago, but far simpler. In fact, the requests and responses pass through network firewalls like typical web requests.
The simplicity and ease of implementation is the reason RESTful APIs have grown so rapidly. Unlike previous generations of web service, it is much simpler to publish an application for consumption by outsiders. And it is far simpler to call on REST APIs as the way for applications to consume cloud based services. For example, all of the dynamic provisioning of cloud services like Amazon Web Services is conducted using REST APIs.
Bottom line, most server-to-server interaction between an enterprise and cloud based systems is now using API based communication.
Where is the security problem?
This leads to following problems that IT has to deal with:
Unknown security posture – it’s hard to know what your security is if you don’t know what is being used by your organization.
APIs are an opening directly into back-end systems. Without knowing who is coming through, an enterprise is asking for trouble.
Risk of Audit failures – lack of visibility drives the risk of an audit failure when an auditor discovers use of a service whose compliance can’t be demonstrated.
Proliferation of APIs – an accidental enterprise IT architecture that results from shadow IT often leads to using disparate services for same purpose. For example, it is not uncommon to see multiple cloud storage solutions being used across different departments.
When asked how much API activity crosses their network perimeter, the two thirds of IT and security managers responded “I don’t know”. If IT and security teams don’t know what information is flowing out to the cloud, or what outsiders are touching information inside, that’s a problem.
What are solutions to this visibility problem?
For an enterprise IT that is looking to gain visibility into API utilization, you would need a product that has been designed with enterprise IT in mind. It has to be put visibility to drive security and compliance as primary goals.
A new class of security software, designed to give visibility to IT operations and security teams, helps meet these demands.
The basic requirements for gaining API visibility include:
Visibility. If IT can’t discover what services are in use, IT cannot manage the problem. The first requirement is to answer the question “What API based systems already exist”.
Inbound and Outbound. Requests and responses flow both ways. It is not enough to see internal users touching cloud services, IT must see external systems interacting with resources inside the firewall.
Passive Monitoring. “Look but don’t touch” says it all. Before IT can start making changes, it first needs to just observe without any potential impact on existing production.
Fast and simple. Systems that require architectural changes, or that impose new tasks and changes on development teams, will not be implemented in time. If it takes consultants and integration programs just to see the size of the problem, it’s probably too complex.
Permanent. Finally, for regulated industries including healthcare and finance, keeping an archive record of message exchanges is a necessity. If you save your Email traffic, you certainly need to save the server-to-server API exchanges.
Can’t I just get a quick idea of whether I have an API problem?
Managed Methods offers products to discover and to control the flow of APIs with the cloud. For a quick view, the free product version, API Discovery Free can be used to see the users and services generating API exchanges across the firewall. It offers the advantage of passively monitoring, not requiring installation on production systems, and being quick to implement. And you can’t beat free!