Every cloud service and application today offers application
programming interfaces (APIs). APIs are used to manage and interact with the
cloud services and the security and availability of general cloud services (authentication,
access control, encryption, activity monitoring, etc.) is dependent upon the
security of the APIs. Third parties that rely on APIs and build on these
interfaces introduce the complexity of a new layered API, which increases risk
as organizations may need to expose more services and credentials. Security
issues related to confidentiality, integrity, availability and accountability
may arise.
Examples of poorly secured APIs are anonymous access and/or
reusable tokens or passwords, clear-text authentication or transmission of
content, inflexible access controls or improper authorizations, limited
monitoring and logging capabilities, unknown service or API dependencies. In
January 2014, insecure APIs were connected to a Snapchat data
breach that affected approximately 4.6 million users. While APIs weren't
directly to blame, they allowed hackers to match Snapchat users' phone numbers
with usernames on a massive scale.
The Cloud Security Alliance (CSA) recommends analyzing the
security model of cloud provider interfaces; implementing strong
authentication, access control and encryption; understanding APIs dependencies;
and penetration testing.
Organizations often put speed of development first,
neglecting attention to detail. Developers should take the time to fully
understand the security implications associated with using, managing and
monitoring APIs and the potential risks of sharing user data.
Resources:
Top Threats to Cloud
Computing V1.0 (March 2010), prepared by the Cloud Security Alliance,
retrieved from https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Fahmida Y. Rashid (2016, March 11) The dirty dozen: 12 cloud
security threats, retrieved
from http://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html
Michael Cobb (n.d.) API
security: How to ensure secure API use in
the enterprise, retrieved from: http://searchsecurity.techtarget.com/tip/API-security-How-to-ensure-secure-API-use-in-the-enterprise
No comments:
Post a Comment