by Oleksii Donets
Organizations must become more efficient. To do this, they share data and services with external parties. Making the exchange of data with partners, customers and interested parties in a fast and secure way will be a forward-looking task. This is important because if the data falls into the wrong hands, the consequences can be devastating.
The evolution of communication
We all still know the processes of the past: A girl named Amelie orders something on the Internet and would like to know more about the status of her order. She sends an e-mail with the order number to the online company Best Shop – for example to a clerk called Ben. He in turn checks the e-mail and writes a reply to Amelie. Of course, this could all be much faster: If we replace Ben with an automatic process. In this case, Best Shop’s system simply reads the order number from the email, automatically retrieves the status of Amelie’s order, and sends the answer right back. The whole process only takes a few seconds. Let’s assume Amelie is not a human being, but the company Best Choice. An order process from Best Choice at Best Shop could also run fully automatically – simply because systems interact and communicate with each other on all sides. This has been a known practice for a long time. This communication takes place via interfaces, so-called “Application programming interfaces (API)”.
Availability, confidentiality and integrity for the APIs
APIs are, so to speak, the door from the outside world to internal systems, services and databases. That’s why the biggest protection goal must be to ensure the availability, confidentiality and integrity of the APIs. First of all, it is necessary to protect them with a tap-proof encrypted connection (SSL connection (HTTPS)). This ensures that the information and data is only accessible to authorized persons. The integrity of the data is thus achieved. In addition, the user or the system is requested to authenticate and authorize itself. In this way, we rule out any confusion of identities. By the way, these are only the minimum requirements for API security! Further goals such as the operational readiness of the systems and the correct processing of the requests can be achieved by setting up audits, monitoring and alarm mechanisms. But back to the topic of API security: In addition to the minimum requirements, APIs must be urgently protected against various attacks (DDoS, SQL infiltration, etc.).
Protection against attacks
In order to be able to implement the necessary measures, it is advisable to create a component between the outside and the inside world. This means that the database or the system must not be directly connected to an API. This component should validate all user input and only process valid requests. It is very important that the APIs do not only provide for authorization and authentication, but also for checking the connection (audit). In addition, the complete validation of the data transfer protocol and the checking of the supplied data for the intentional procedure is of decisive importance. The intermediary component usually requires the implementation of an API management solution or an API gateway. For example, in the case of an SQL injection, the SQL query is not sent directly to the database, but first checked for the permitted expressions and characters.
APIs can be protected easily and unerringly with ready-made function blocks (also called assertions). This can be achieved with modern API management solutions. The APIIDA API Gateway Manager provides further support for managing API gateways.
Security comes first – especially in times of digital networking! Anything else would be negligent. APIs are the door through which not everyone is allowed to pass. That is why it is particularly critical to guarantee their security. It also makes sense to use an alarm and monitoring system that gives immediate feedback on how the APIs work.