Guide to API security
APIs have become a strategic necessity for businesses — with 96% of teams reporting that they currently use APIs. However, APIs can also pose a risk to organizations should the data that travels through them be exposed. By 2022, Gartner predicts that API abuses will become the most common type of web application data breach, resulting in a $600B yearly cost for organizations.
As enterprises shift toward digital means of operation and increase their network complexity, the risk of API attacks increases — making API security a top-of-mind priority for IT decision makers.
What is API security?
API security encompasses the programs and procedures that an organization takes to ensure that existing APIs have the latest security controls and that new APIs are built according to enterprise security standards. As APIs become the standard for connecting systems and unlocking data for internal and external consumption, API security has become increasingly important.
A secure API is one that can guarantee the confidentiality of the information it processes by making it visible only to the users, apps, and servers that are authorized to consume it. Likewise, it must guarantee the integrity of the information it receives from the clients and servers that it collaborates with — so that it will only process information it knows has not been modified by a third-party.
3 principles of API security
There are three main components that ensure an API is secure. The below section will go over these principles and some best practices for implementing them:
Identity and access management (IAM)
Identity and access management ensures that all applications, servers, and users that consume your API are those with the proper permissions to do so. The two main means of identity and access management are authentication and authorization. Authentication means understanding who someone is, while authorization deals with what that individual can do. Access control uses both authentication and authorization to enforce control within a given system.
One type of access management is multi-factor authentication. Multi-factor authentication is when an app requests a single-use token from the user after it’s already authenticated the user’s credentials. Another method of securing application and data access is via token-based credentials. The first time a user accesses an identity provider with their username/password credentials, a token is issued. From there, rather than having users share their credentials over the network — which can present a security risk — the app only needs to send the token.
Content integrity and confidentiality
After ensuring proper access to systems, the next step is to secure any incoming communications with your API. Message or content integrity ensures that the message was not compromised after transmission. When a message is integral, it means that it was not intercepted by a third-party after the sender transmitted the message before forwarding it to an API. Content or message confidentiality ensures that the message received is verified and that the journey from sender to API has not been witnessed by unwelcome spies who saw the details of the message.
One way to ensure message integrity is with digital signatures, which are used to record the authenticity of a transaction. In this case, an app creates a signature using an algorithm and a secret code. The API applies the same algorithm with a new secret code to produce its own signature, and compares it to the incoming signature. Another method to ensure message integrity is cryptography. Public-key cryptography is the method of producing an encryption of a message that’s nearly impossible to decode without a corresponding key.
API reliability and availability
Today’s apps exist in the cloud with integrations to countless other cloud and on-premises services. Data flows from one service or microservice to another, and from one user to another, creating a multitude of attack surfaces. Your API must guarantee that it is always available to respond to calls and that once it begins execution on the call, that it can finish handling the received message immediately without losing data and leaving it vulnerable to attack.
This can be achieved by horizontally scaling the API across multiple servers and by handing off the processing of the message to a message broker, which will hold the message til the API has completed its processing. The understanding in this latter scenario is that another process is subscribed to this message publication and thus continues the processing asynchronously.
Security by design
Learn why adopting an API-led approach to integration enables you to follow security and governance best practices. APIs built with Anypoint Platform enable security teams to apply automated, layered, and intelligent security across domains, microservices, and APIs on a unified platform and enable development teams to build new applications and customer experiences with security and compliance enabled by default.
For more API security best practices, download our whitepaper.