Virtualization Technology News and Information
API Security Covers Machine Identities, Too

By Katrina Thompson

We all know API security is important - after all, 95% of us were on the receiving end of an API attack within the past year. But do we know what a big part machine identities have to play?

The OWASP API Security Top 10 list for 2019 includes three threats involving authentication and authorization, and this API Security Checklist notes, "When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities."

I'll tell you why, how, and what that means - and how you can use machine identity protection to your advantage when securing your APIs.

The need to secure APIs

An Application Programming Interface (API) is "an interface that provides programmatic access to service functionality and data within an application or a database," according to Gartner, and used to "serve the needs of a digital transformation or an ecosystem, and start a platform business model." Overall API traffic grew 321% this past year, and the growth is understandable given that over 80% of web traffic becomes API traffic.

Consequently, "As the attack surface has grown, and as more bad actors have realized how lucrative it is to target APIs, the number of API attacks has skyrocketed," notes Michelle McLean, VP of Marketing at Salt Security. 

API security has never been more important. As "the average number of APIs per company increased by 221% in 12 months, "we note with concern the fact that" 91% of APIs expose PII or personal data." To complicate matters, 86% of survey respondents reported they lacked the confidence that they know which APIs expose sensitive data, while 85% expressed that their current tools are ineffective in stopping API attacks.

This could be because the tools don't stop API attacks at the machine identity level. As privacy takes center-stage in the fight for APIs, defending at the level of the machine identity is key to securing authentication and authorization command chains - which is an often-overlooked part of securing your APIs.

Why machine identities are central to securing your APIs

It is just as important to validate the identities of APIs as it is to validate for any other type of human or machine entity (such as a container, IoT devices, etc.). This "machine identity" comes in the form of digital certificates and cryptographic keys. These security tokens enable HTTPS and SSH to validate and authenticate the API's identity so it can securely communicate with other APIs, establish trust, and gain authorized network access and are necessary to API authorization and authentication.

As we mentioned, the OWASP API Security Top 10 list for 2019 lists no less than three top problems relating to authentication and authorization security issues. They are as follows:

  • "API1:2019 Broken Object Level Authorization. APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.
  • API2:2019 Broken User Authentication. Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall.
  • API5:2019 Broken Function Level Authorization. Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users' resources and/or administrative functions."

Without validated machine identities, APIs create security gaps that could leave them open to sensitive data compromise - say, if a hacker took advantage of weak authentication controls to access an account, then once inside met with no authorization checks and was thereby able to gain access to API data. And, perhaps nowhere are machine identities more abundant than in API gateways, where large numbers of TLS keys and certificates are used to establish trust between entities.

Secure API Machine Identities

I'd recommend looking for a solution that combines AI and machine learning to analyze traffic from web, software-as-a-service, mobile, microservice, and internet of things app APIs. You want to create a baseline of normal behavior for each API. As attacks focus now on the "business logic" of APIs, (going beyond "one-and-done" SQLi and XSS attacks), you need to be able to identify anomalies that might be indicators of an attack during reconnaissance.

It only takes a weak password, missing account lockout thresholds or too much time between password/certificate rotations before your API becomes at risk of compromise (broken user authentication). Maintaining and updating your machine identities will ensure your certificates are properly rotated and that your users (or machines) are properly identified, authorized, and authenticated.

As Michelle stated, "Every API is unique, so every attack has to be unique, as bad actors probe the APIs for business logic gaps they can exploit." Expired TLS keys and certificates are such gaps that are easily exploitable, resulting in outages, downtime, and compromised APIs. When your API serves as (one of just a few) back-end hubs ensuring front-end success on your company's app, securing your machine identities is securing your API.




An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.  

Published Friday, July 15, 2022 7:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<July 2022>