API & Integration Security
API and integration security is often overlooked or treated as an after thought in implementations. API projects need to recognise that opening up APIs effectively extends the potential attack surface of the organisation. Whether this is through denial of service attacks, compromised security architecture, poor design or weak authentication, there needs to be significant upfront consideration of security during implementation.
Organisations need to implement robust security policies, procedure and governance around design, development and consumption. Security controls should be embedded into the architecture, design and overall thinking. API Management and Integration platforms implement various features that can help support the overall security implementation. It’s important that organisations understand the features available to them and that they implement them soundly during project delivery.
How to improve your API & Integration Security
Organisations with strong maturity in this space make security part of their organisational DNA. Often implementing security control frameworks like NIST. In integration and API terms it’s important to start with an understanding of the underlying data:
- What data do you store about people and where?
- What the impact is of moving data?
- Where the data is transacted and subsequently persisted?
- Are there data protection considerations e.g.. GDPR / PII?
- How is the data valued or classified in terms of sensitivity?
When integrating between systems, we often start with a set of privileges that make the integration user a superuser in the respective systems. This is largely due to expediency in debugging permissions related issues during development. With that sort of access we inevitably open up super user privileges in the resulting processes and APIs we build. It’s important to revisit integration system accounts to ensure that privilege levels are appropriate for the integration flows and APIs we release to production. Where we cannot lock down privileges in the integration user account, we need to ensure we provide supplementary security controls at the API level.
Understanding API as a product, implementing the security control available in the API management platform, rate limiting and white/blacklisting relevant network ranges all help to lock down the implementation. Likewise a layered API architecture that separates system from process and experience or system from engagement and innovation layers is a solid design principle to implement.
Segregation of environments and concerns in deployment should also be standard practice. In addition, ensuring that anything you expose externally is penetration tested by a third party should be part of the project delivery plan as well as secure and robust testing practices during development.
It is also important to ensure that post implementation there is 360 degree observability of the platform in terms of infrastructure and security monitoring. Security is an organisational behaviour and breaches in it should show up as behaviours in the monitoring data. Set up correctly, organisations should be able to stay ahead of the curve in terms of their security implementation.
Common Mistakes in API & Integration Security
The most common and significant mistake organisations make is leaving it until the end. It needs to be part of first principles in approaching any implementation.
Another key mistake is in failing to categorise the data sets you are working with based on their sensitivity or indeed recognising that in blending data objects the sensitivity of the resulting object needs classifying. API implementations are about offering up your data for consumption by developers inside and outside the organisation. Understanding the roles and levels of access that should be implemented is imperative.
- account for security in testing
- build security monitoring into your implementation
- layer and segregate your architecture
Thare all signs of an organisation that hasn’t yet made security part of its DNA. Likewise with respect to having blanket security policies that don’t reflect or adapt to new use cases or business needs. Security needs to be adaptive and part of the culture of delivery.
How Chakray Can Help
At Chakray, we work with organisations to ensure appropriate security controls are implemented during implementations. We actively seek to understand existing security practices within the organisation and implement best practice during deployment. We partner with security specialists to help customers achieve best possible outcomes when approaching the security of their systems and data.
You May Be Interested In…
Further information and reading on subjects related to this page.