API use and capabilities have grown significantly over the past decade to improve application development; interaction with services and app features; and integration with applications, services and components of all types. Nowhere is this truer than in the cloud, where API availability and use are the norm rather than the exception.
APIs have also become a major target for attackers, however, due to exposure, a variety of vulnerabilities and configuration issues, and the fact that some APIs are inherently less secure than others.
Cloud API security best practices
While API security best practices are well documented, security and engineering teams should keep in mind the following cloud-specific API security considerations.
1. Inventory and discover cloud APIs in use
Cloud services are almost guaranteed to expose APIs. It’s imperative that organizations perform a continuous inventory and discovery effort to determine what services are in use, where they’re exposed and what APIs are associated with them.
It’s not uncommon for even a modest cloud presence in leading PaaS and IaaS environments to include hundreds or even thousands of unique API functions. Building an inventory of APIs, what they’re capable of and where they’re exposed can improve cloud API security overall.
2. Add security in front of cloud APIs
Organizations should consider putting DDoS protection and web application firewalls (WAFs) in front of exposed APIs. DoS is a common attack against exposed cloud APIs. Many APIs can also be queried and attacked to solicit data or introduce junk input to applications. Leading cloud service providers (CSPs) offer WAF and DDoS protection as cloud-native options for all API entry points. Third-party products are also available.
Increasingly, a variety of security features can be found in API gateway services and platforms, which many development and engineering teams plan to use anyway. Look for rate limiting options, data masking, distributed routing to multiple back ends, and integration with other DDoS protection and WAF services.
3. Improve cloud API identity and access management
One of the biggest security challenges associated with cloud APIs is weak or flawed authentication and authorization. Organizations should prioritize cloud API identity and access management when building and deploying cloud applications and services.
First, evaluate the privileges in use for APIs, both for external interfaces and queries and internal service-to-service orientation. Assign service roles with minimal privileges wherever possible to limit what APIs can do in case of hijacking or intrusion. Next, implement strong authentication for APIs everywhere. Many cloud APIs use native API keys or basic authentication, but stronger methods, such as JSON Web Tokens (JWTs), help prevent use of static keys, which attackers could hijack and exploit. JWTs also include authenticity and nonrepudiation features with digital certificates. Besides focusing on least-privilege roles for all APIs, consider using OAuth 2.0 for authentication. It uses JWTs for all client-server interactions with RESTful APIs.
4. Log and monitor for unusual requests
Logging and monitoring API activity are somewhat easier in the cloud. All APIs are intrinsically tied to the CSP’s fabric, so logging services, such as AWS CloudTrail, Amazon CloudWatch and Google Cloud Logging, can track all API activity, which can then be monitored for unusual requests or behaviors. Many front-end gateway platforms and services also provide strong logging capabilities. The downside to cloud API logging is the sheer volume and breadth of requests. There are often far more logs than operations and security teams can handle, and many of them are not particularly useful from a security standpoint.
Many API security best practices apply equally in cloud environments and others alike. The biggest danger for many teams is cloud API exposure, so be sure to find internet-facing APIs before attackers do.