API security for connecting the enterprise cloud
by HNS - Wednesday, 13 August 2014.
In this interview, Don Bergal, COO at Managed Methods, answers questions regarding security around API based connections between an enterprise and the hybrid cloud.

What technology changes are making this important now?

Application Programming Interfaces (APIs) are the glue that connects enterprises to Cloud. While they may not know it, IT teams are already surrounded by API traffic. It is becoming rare to find IT organizations that are not impacted by increased use of APIs to their enterprise cloud. Whether sending claim data to an external billing company, responding with product availability to a reseller, or provisioning virtual cloud servers, all of these operations are based on a series of API message exchanges between organizations.

IT teams must meet the conflicting requirements of ensuring security when conducting business with systems in their hybrid cloud, but also facilitating and promoting business agility. Shutting down the flow to outside servers is not a viable option.

What is a RESTful API?

API growth is tied to the exploding use of REST APIs. REST, or Representational State Transfer, is a framework for exposing application services via simple web URLs. It is similar to the web service architectures begun a decade ago, but far simpler. In fact, the requests and responses pass through network firewalls like typical web requests.

The simplicity and ease of implementation is the reason RESTful APIs have grown so rapidly. Unlike previous generations of web service, it is much simpler to publish an application for consumption by outsiders. And it is far simpler to call on REST APIs as the way for applications to consume cloud based services. For example, all of the dynamic provisioning of cloud services like Amazon Web Services is conducted using REST APIs.

Bottom line, most server-to-server interaction between an enterprise and cloud based systems is now using API based communication.

Where is the security problem?

This leads to following problems that IT has to deal with:

Unknown security posture Ė itís hard to know what your security is if you donít know what is being used by your organization.

APIs are an opening directly into back-end systems. Without knowing who is coming through, an enterprise is asking for trouble.

Risk of Audit failures Ė lack of visibility drives the risk of an audit failure when an auditor discovers use of a service whose compliance canít be demonstrated.

Proliferation of APIs Ė an accidental enterprise IT architecture that results from shadow IT often leads to using disparate services for same purpose. For example, it is not uncommon to see multiple cloud storage solutions being used across different departments.

When asked how much API activity crosses their network perimeter, the two thirds of IT and security managers responded ďI donít knowĒ. If IT and security teams donít know what information is flowing out to the cloud, or what outsiders are touching information inside, thatís a problem.

What are solutions to this visibility problem?

For an enterprise IT that is looking to gain visibility into API utilization, you would need a product that has been designed with enterprise IT in mind. It has to be put visibility to drive security and compliance as primary goals.

A new class of security software, designed to give visibility to IT operations and security teams, helps meet these demands.

The basic requirements for gaining API visibility include:

Visibility. If IT canít discover what services are in use, IT cannot manage the problem. The first requirement is to answer the question ďWhat API based systems already existĒ.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th