API security for connecting the enterprise cloud
by HNS - Wednesday, 13 August 2014.
In this interview, Don Bergal, COO at Managed Methods, answers questions regarding security around API based connections between an enterprise and the hybrid cloud.

What technology changes are making this important now?

Application Programming Interfaces (APIs) are the glue that connects enterprises to Cloud. While they may not know it, IT teams are already surrounded by API traffic. It is becoming rare to find IT organizations that are not impacted by increased use of APIs to their enterprise cloud. Whether sending claim data to an external billing company, responding with product availability to a reseller, or provisioning virtual cloud servers, all of these operations are based on a series of API message exchanges between organizations.

IT teams must meet the conflicting requirements of ensuring security when conducting business with systems in their hybrid cloud, but also facilitating and promoting business agility. Shutting down the flow to outside servers is not a viable option.

What is a RESTful API?

API growth is tied to the exploding use of REST APIs. REST, or Representational State Transfer, is a framework for exposing application services via simple web URLs. It is similar to the web service architectures begun a decade ago, but far simpler. In fact, the requests and responses pass through network firewalls like typical web requests.

The simplicity and ease of implementation is the reason RESTful APIs have grown so rapidly. Unlike previous generations of web service, it is much simpler to publish an application for consumption by outsiders. And it is far simpler to call on REST APIs as the way for applications to consume cloud based services. For example, all of the dynamic provisioning of cloud services like Amazon Web Services is conducted using REST APIs.

Bottom line, most server-to-server interaction between an enterprise and cloud based systems is now using API based communication.

Where is the security problem?

This leads to following problems that IT has to deal with:

Unknown security posture – it’s hard to know what your security is if you don’t know what is being used by your organization.

APIs are an opening directly into back-end systems. Without knowing who is coming through, an enterprise is asking for trouble.

Risk of Audit failures – lack of visibility drives the risk of an audit failure when an auditor discovers use of a service whose compliance can’t be demonstrated.

Proliferation of APIs – an accidental enterprise IT architecture that results from shadow IT often leads to using disparate services for same purpose. For example, it is not uncommon to see multiple cloud storage solutions being used across different departments.

When asked how much API activity crosses their network perimeter, the two thirds of IT and security managers responded “I don’t know”. If IT and security teams don’t know what information is flowing out to the cloud, or what outsiders are touching information inside, that’s a problem.

What are solutions to this visibility problem?

For an enterprise IT that is looking to gain visibility into API utilization, you would need a product that has been designed with enterprise IT in mind. It has to be put visibility to drive security and compliance as primary goals.

A new class of security software, designed to give visibility to IT operations and security teams, helps meet these demands.

The basic requirements for gaining API visibility include:

Visibility. If IT can’t discover what services are in use, IT cannot manage the problem. The first requirement is to answer the question “What API based systems already exist”.

Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //