Are you securing your public cloud APIs?

Jason Macy, CTO of Forum Systems discusses why the rise of cloud services must go hand-in-hand with an increased focus on API security

As a direct consequence of the government’s Cloud First policy, highly sensitive information, including names, addresses, National Insurance numbers, tax details, passports, driving licenses and so on, may be stored in data centres operated by the major public cloud providers. These include the likes of Amazon Web Services and Microsoft Azure.

This data is then accessed remotely via APIs. Unfortunately, it doesn’t matter how secure the cloud providers are, the APIs by which data is accessed will remain the weakest link in the chain, and therefore a major target for hackers. API breaches which result in personal records being stolen from companies are in the headlines more and more; but with the government’s own sensitive data now potentially at risk, the likelihood is far greater of an even more damaging hack which compromises the personal details of citizens.

Do you know which public cloud your department is using? Are you using a best-of-breed API security solution, or are you relying on the cloud provider for your security? What can you do to mitigate the cloud-based API threats?


The rise of the public cloud

The shift to the public cloud shows no sign of slowing down, with the public cloud computing market predicted to be worth around 160 billion U.S. dollars worldwide by 2020. The trend is even more aggressive in the UK since the introduction of Cloud First in 2013, where government departments are being pushed to move their deployment models to public clouds.


Cloud communication = API Communication

APIs represent the communication synapses among cloud applications. In a nutshell, an API allows applications to talk and share data with each other over the internet. It is an API that allows you to embed Google Maps in your website, or to push your Salesforce contacts into MailChimp.

APIs underpin almost everything we do every day, from banking to shopping to controlling our heating. APIs have enabled the growth of most of the major computing trends of the last few decades; this includes cloud computing, but APIs also had a role to play in the widespread adoption of smartphones and tablets (and any other smart and connected devices like fitness trackers and smartwatches), the Internet of Things, and even social media. All of these popular trends have relied on APIs to function or grow.


The sleeping giant of our world

The widespread use of APIs has made API vulnerabilities the sleeping giant of our technology-led world. The threats posed by an exposed API are significant, yet, they remain the most overlooked threat to information security today. This is because API vulnerabilities are not always easy to spot and require specialised technology for detection and prevention. In fact, if you looked at the latest version of the OWASP Top 10 (the highly respected, peer-reviewed list of the top vulnerabilities facing organisations today), 9 of the top 10 vulnerabilities now include an API component of some kind. This top 10 listing is derived from actual deployments and reported threats, and thus clearly demonstrates the need to treat API risks as a critical aspect of your cybersecurity strategy.


Locking down public cloud APIs

The prevalence of sensitive public data being stored in public clouds, accessed by APIs, is where the risk lies. You may be confident in the security provided by the cloud provider itself. but if the APIs by which this data is accessed is compromised, all this security counts for nothing. APIs will always remain the weakest link in the chain if they are not protected and will therefore remain a major target for hackers.

Most cloud services use API gateways to identify and verify users, and to act as the single entry point into the service. The API gateway must not become the target of compromise, yet, due to their role as the gatekeeper into the service, this is the vector of attack. If you can compromise the API gateway, you will have free access to the entire system. The only way to truly protect the data held in a public cloud is to embed secure API gateways within the cloud itself. Secure API Gateway technology is specifically known as an “API Security Gateway”.

Building a 100% secure API security gateway requires fundamental product architecture principles such as a locked down and secure operating system, self-integrity health checks to detect compromise, and independent security certifications to verify the claims made by any vendor of such solutions.

If the gateway is not inherently secure by design, then you will always be playing catch up as new exploits are inevitably discovered. The recent Spectre and Meltdown API vulnerabilities are good examples of what happens when the API Gateway is not secure. Spectre and Meltdown could affect any system running potentially vulnerable third party applications.

However, having a product with a locked-down, secure OS cannot run third party applications and does not have susceptibility to these types of OS attacks, or any other emerging types of OS attacks. This is where the common software-based architecture of most API Gateways quickly become their biggest vulnerability. Having your API Gateway perform security is much different than having an API Security Gateway.  And using an API from your Cloud Provider is much different than leveraging your own API Security Gateway in the cloud.


Minimising the risks of Cloud First

When it comes to the public sector adopting public clouds, you cannot be too careful. By embedding API Security Gateways directly in the public cloud, the public sector can yield the benefits of the cloud while still retaining ultimate control and security over its data. After all, he who controls the gateway, controls the data.

Cloud First and Security First should go hand in hand.

Related reading