Warakorn - Fotolia
Companies looking to access information through APIs need a game plan for how they intend to protect that information. Understanding how APIs work and having a set of security policies around them is integral to internal security and stability.
APIs are likely to be used to perform several actions that fall under the categories of retrieving data; modifying, updating, deleting and adding data; and invoking an action to take place. Understanding how APIs work and how they are used helps to create strong security policies. Here are four ways APIs are used and how to ensure security.
Access to information through an API needs to be granted and authorized. Users and applications that need access to data should be able to do so by first authenticating themselves with the service in question. Different users and applications should be identified and authorized separately, allowing for granular access to the data.
For example, while some users may have access to all actions in the system, such as adding, deleting and updating, other users may only have access to retrieve or add new records. The level of access each user or application has to various object classes of information needs to be managed and maintained, so users can't access more information than they need.
This type of varied authorization is usually achieved by defining different roles and assigning them to users. Each role provides different access rights to its user.
2. Audit trail
Another important element in securing how APIs work is an audit trail, which is a way to track who accessed information and when it was accessed. Because users are separately and uniquely identified when accessing APIs, these calls, as well as their return status, need to be logged as an audit trail.
Audit trails can be used to understand how the data is accessed and if any nefarious activity has taken place. The trail will also lead back to the user who initiated the access.
3. Data at rest and data in motion
The data accessed through the API is best stored in an encrypted format. Encryption is especially important if that data includes personally identifiable information or any other sensitive data. All passwords should be salted and hashed and never stored in the clear.
Calling, or executing, the APIs means that data is in motion and information is obtained through the APIs. While all APIs in this day and age should be called via encrypted HTTPS or secure web sockets, this is doubly true for information retrieval via APIs. It is necessary in order to thwart any unauthorized users sniffing on the traffic from the API to its intended consumer.
4. Rate limiting
A user should be allowed to access information through the API up to a given rate. This reduces the risk of a user abusing their access or having their identity hijacked and abused, which could create a larger data breach.
For example, a user may connect to an API to validate new users. But if the user is executing your API at a rate of 1,000 calls per second, it could mean the API is being abused to harvest data. In this case, it would make sense to limit the user's API access to one call per second.
As with other security measures, rate limiting can be granular and cover different users and roles. Different rate limits can be set for different API calls.
Other authorization policies can limit access by geography, a user's exact location or specific security certifications. It's prudent to monitor the access of information. Suspicious behavior can indicate potential abuse or data breaches.
Dig Deeper on Unified Communications Security
Related Q&A from Tsahi Levent-Levi
Instead of SMS two-factor authentication, some companies are switching to 2FA through messaging apps and social media platforms. Learn what's behind ... Continue Reading
Most embedded communications use cases focus on customer-facing interactions. Learn how to evaluate the use cases that would benefit from embedding ... Continue Reading
Adding communications capabilities to your web browsers or mobile apps? Be sure to use the right protocols for successful interoperability with your ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.