Cloud Security Solutions is a never-ending task. As soon as you counter the threat in one place, the black hatters shift tactics and attack from a different angle and with different threat signatures and techniques. What we are talking about is software coding that acts as the front door that will allow access to the predetermined functionality of applications and data on the Cloud server. We at Zymr develop and field secure API’s and we do it well.

The cloud era has ushered in new opportunities for platforms that are willing to open data services through APIs. For example, Amazon AWS offers REST APIs to provision their IaaS. Applications that offer APIs need to provide robust security to ensure DDoS attacks, data leakage, and malicious use.

[See Also: Cloud Application Development Services]

‍

Of course, the terminology is at the root of the most of the confusion about what the heck we’re talking about. API is the acronym for “application programming interface” i.e. the front door. REST is all about “representational state transfer” which has an alternative technique called SOAP that I’m not even going to talk about in this blog post. Your eyes are already glazing over anyway. IaaS is “infrastructure as a service and finally, DDoS refers to a type of threat called a “distributed denial of service” operating system security attack.

Why Do We Need Secure API’s?

First off, API’s are not new. They have been running on your computer for a long time. Anytime one program can share information with another program on your platform, that handshake and transfer of information are done through API’s. However, since your computer knows who you are and your user account is known, the function of the API’s are transparent to you. Your security is contained in the firewalls and security program you are running be it Norton, Kaspersky or any of the other vendors out there with a security product.

API’s, however, have proven to be vulnerable because of API’s that are not secure. A good example of that was last year’s cyber attack targeting MSNBC highlights cybercriminals’ abuse of the public’s trust in news sites. The attack abused the company’s publicly available Bitly application program interface (API) key to create custom URL shorteners for redirecting victims to a fake website broadcasting misinformation about the news.

A second example involves the banking industry and the rapid move of banking functions to the mobile web where customers can log in to their account on their smartphone or tablet and conduct transactions as they desire. This is all done via API. Distributed denial of service (DDoS)attacks is ever more possible. Given this scenario, the next wave of DDoS attacks may very well target these cloud APIs. The impact here is that the mobile device cannot access the customer’s account. Now, not only is the banks API overwhelmed, so are its phone lines as the account holders make very contentious phone calls.

[See Also:Skyport Secure and Hyper-Security]

Other more recent events point out the challenge ahead. API’s were at the root of security breaches at social media sites Pinterest, Instagram, and Snapchat. Zane Lackey, founder and chief security officer at Signal Sciences, examined API attack methods and defense. Lackey laid out five major API attack vectors: bypassing authentication defenses, bypassing data validation via third party APIs, evading detection of brute force authorization, evading rate limits, and abusing content types.

Technology and Techniques to Build a Secure API

API security is based on being able to establish the identity of the resource making the call to the API. Accurate authentication of that platform (mobile phone, tablet, laptop or desktop) lies at the core of the security effort. I talked about your platform security earlier. Are your firewalls set up correctly? Do you have an effective and updated antivirus program running? Identity security starts with you. API security rests with ensuring the identity of who is making the API call for access.

The framework for API security is the OAUTH2 umbrella protocol. OAuth stands for “open standard for authorization.” It’s actually the final step in allowing delegated access after all the other identity authentication protocols under the OAUTH2 umbrella framework have done their job. The graphic shows the technology stack for developing a secure API

FIDO (Fast IDentity Online) provides two user experiences to address a wide range of use cases and deployment scenarios. FIDO protocols are based on public key cryptography and are strongly resistant to phishing.

System for Cross-domain Identity Management (SCIM) is an IETF (Internet Engineering Task Force) specification is designed to make managing user identities in cloud-based applications and services easier.

JSON Identity Suite is a set of open digital identity standards that have emerged that utilizes JSON data representations and simple REST-based communication patterns.

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

ALFA is an implementation of the XACML standard and stands for “eXtensible Access Control Markup Language” and is a process for defining fine-grained authorization rules in a JSON-like policy language (which compiles down into XACML).

Wrapping It All Up

A secure API is a step in the right direction for cloud server security, but it isn’t a panacea for preventing all
cyber attacks on a cloud server. The Open System Interconnection (OSI) networking model has seven layers of functionality and we’ve only been dealing with the level 7 user/application interface. Cyber attacks can happen at any level and we’re not finished with Level 7, the application layer just yet.

‍

‍

Everything you need to know about outsourcing technology development and Cloud Application Development Services

Access a special Introduction Package with everything you want to know about outsourcing your technology development. How should you evaluate a partner? What components of your cloud security solution that are suitable to be handed off to a partner? These answers and more below.

‍