Cloud Security Requires Securing APIs
As cloud use continues to increase and applications are redesigned to a microservices architecture, APIs are increasingly the way applications communicate and share data. No wonder they’re an increasing source of threats to data, too.
The risks of APIs come in two main ways:
- APIs are poorly protected. Firewalls don’t block access to APIs. Access is controlled through identity and security policies, but those may not be effective. Not all communication with APIs is encrypted, allowing data or even credentials to be stolen. The error messages given by APIs can indicate whether a login failure is due to a bad username or bad password, guiding a malicious actor in their attempt to break security.
- APIs are designed to support automation. By design, APIs allow programs to communicate. This allows attempts to break in to be automated. Hackers can exploit lists of stolen user credentials and automate attempts to see if any of them work on the targeted site. Even if the API attempts to throttle rapid-fire access attempts to detect malicious login attempts, a hacker can still lower their request rate to continue a credential-stuffing attack.
Access to APIs is generally managed through an API gateway. In Microsoft Azure, Azure API Management offers services that provide security to APIs. These include generating authorization keys that must be included with request to the API, including authorization tokens in request headers, and requiring client certificates. Azure API Management also allows you to limit how many times a single client can call the service within a specified time period, reducing the risk of a credential-stuffing attack. Specific IP addresses can be blocked from accessing the API entirely.
In addition to the cloud-based service, Microsoft also includes API management features in Azure Arc, offering a self-hosted solution that allows security to be controlled on premises. Although this solution doesn’t provide all the features of the cloud-based API management platform, it may better fit some companies’ compliance policies. Self-hosting potentially reduces bandwidth charges as well as allowing consistent, better-performing approaches to security in hybrid environments.
Providing security to cloud services is often a matter of configuration. By appropriately leveraging the Azure API Management tools, cloud APIs can be configured to increase their security. Prescient Solutions provides complete Microsoft Azure support, helping businesses in Chicago and Schaumburg meet many cloud challenges including security. Contact us to learn more about protecting your Microsoft Azure cloud.