By Katrina Thompson
We all know API security is important - after all, 95% of us were on the receiving end of an API
attack within the past year. But do we know what a big part machine identities
have to play?
The OWASP
API Security Top 10 list for 2019 includes
three threats involving authentication and authorization, and this API Security Checklist notes, "When
considering API security best practices for authentication and authorization,
remember that you must account for both user and machine identities."
I'll tell you why, how, and what that means - and how you
can use machine identity protection to your advantage when securing your APIs.
The need to secure APIs
An Application Programming Interface (API) is "an interface
that provides programmatic access to service functionality and data within an
application or a database," according to Gartner, and used to "serve the needs of a
digital transformation or an ecosystem, and start a platform business model." Overall API traffic
grew 321% this past year, and the growth is understandable given that
over 80% of web traffic becomes
API traffic.
Consequently, "As the attack surface has grown, and as more
bad actors have realized how lucrative it is to target APIs, the number of API
attacks has skyrocketed," notes Michelle
McLean, VP of Marketing at Salt Security.
API security has
never been more important. As "the average number of APIs per company increased
by 221% in 12 months, "we note with concern the fact that" 91% of APIs expose PII or personal data." To
complicate matters, 86% of survey
respondents reported they lacked the confidence that they know which
APIs expose sensitive data, while 85% expressed that their current tools are
ineffective in stopping API attacks.
This could be because the tools don't stop API attacks at
the machine identity level. As privacy takes center-stage in the fight for APIs, defending at the level of
the machine identity is key to securing authentication and authorization
command chains - which is an often-overlooked part of securing your APIs.
Why machine identities are central to securing your APIs
It is just as important to validate the identities of APIs as
it is to validate for any other type of human or machine entity (such as a
container, IoT devices, etc.). This "machine identity" comes in the form of
digital certificates and cryptographic keys. These security tokens enable HTTPS
and SSH to validate and authenticate the API's identity so it can securely
communicate with other APIs, establish trust, and gain authorized network
access and are necessary to API authorization and authentication.
As we mentioned, the OWASP API Security Top
10 list for 2019 lists no less
than three top problems relating to authentication and authorization security
issues. They are as follows:
- "API1:2019 Broken Object Level Authorization. APIs tend to expose
endpoints that handle object identifiers, creating a wide attack surface Level
Access Control issue. Object level authorization checks should be considered in
every function that accesses a data source using an input from the user.
- API2:2019 Broken User Authentication. Authentication
mechanisms are often implemented incorrectly, allowing attackers to compromise
authentication tokens or to exploit implementation flaws to assume other user's
identities temporarily or permanently. Compromising a system's ability to
identify the client/user, compromises API security overall.
- API5:2019 Broken Function Level Authorization. Complex access control
policies with different hierarchies, groups, and roles, and an unclear
separation between administrative and regular functions, tend to lead to
authorization flaws. By exploiting these issues, attackers gain access to other
users' resources and/or administrative functions."
Without validated machine identities, APIs create security
gaps that could leave them open to sensitive data compromise - say, if a hacker
took advantage of weak authentication controls to access an account, then once
inside met with no authorization checks and was thereby able to gain access to
API data. And, perhaps nowhere are machine identities more abundant than in API
gateways, where large numbers of TLS keys and certificates are used to
establish trust between entities.
Secure API Machine Identities
I'd recommend looking for a solution that combines AI and
machine learning to analyze traffic from web, software-as-a-service, mobile,
microservice, and internet of things app APIs. You want to create a baseline of
normal behavior for each API. As attacks focus now on the "business logic" of APIs, (going beyond
"one-and-done" SQLi and XSS attacks), you need to be able to identify
anomalies that might be indicators of an attack during reconnaissance.
It only takes a weak password, missing account lockout
thresholds or too much time between password/certificate rotations before your
API becomes at risk of compromise (broken user authentication). Maintaining and
updating your machine identities will ensure your certificates are properly
rotated and that your users (or machines) are properly identified, authorized,
and authenticated.
As Michelle stated,
"Every API is unique, so every attack has to be unique, as bad actors probe the
APIs for business logic gaps they can exploit." Expired TLS keys and
certificates are such gaps that are easily exploitable, resulting in outages, downtime,
and compromised APIs. When your API serves as (one of just a few) back-end hubs
ensuring front-end success on your company's app, securing your machine
identities is securing your API.
##
ABOUT THE AUTHOR
An ardent believer in personal data privacy and the
technology behind it, Katrina Thompson is a freelance writer leaning into
encryption, data privacy legislation and the intersection of information
technology and human rights. She has written for Bora, Venafi,
Tripwire and many other sites.