API security best practices
APIs have become a strategic necessity for businesses. They facilitate agility and innovation. However, the financial incentive associated with this agility is often tempered with the fear of undue exposure of the valuable information that these APIs expose. According to Gartner, by 2022, API abuses will be the most-frequent attack vector for enterprise web applications data breaches. It is no wonder that many IT decision makers today are concerned about API security.
In this paper, we will discuss APIs and security within Anypoint Platform in two parts. In part one, we will cover the general concerns that senior IT decision makers have with respect to their digital assets. We will also cover the topics of authentication and authorization, and discuss why it is important to maintain confidentiality, integrity, and availability of your data. In part two, we will show how Anypoint Platform addresses the above requirements. We will cover the core security capabilities of Anypoint Platform. We will also look at how Anypoint Platform can help you manage your APIs and address your security concerns through policies. In this part, we will also cover how APIs deployed to MuleSoft’s Anypoint Platform can securely integrate with servers in your data center. We will conclude with a fictitious scenario that shows how Anypoint Platform can form part of the fabric of a secure API-led architecture.
A secure API is one that can guarantee the confidentiality of the information it processes by making it visible only to the Users, Apps, and Servers that are authorized to consume it. Likewise, it must be able to guarantee the integrity of the information it receives from the Clients and Servers that it collaborates with, so that it will only process information, if it knows that it has not been modified by a third-party. In this case, the ability to identify the calling systems and their end-users is a prerequisite for guaranteeing these two security qualities. What we have stated also applies to those calls that the API makes to third-party Servers. An API must never lose information so it must be available to handle requests and process them in a reliable fashion. In this paper, we use the term API in a broad sense to include both the interface definition and the service or microservice which implements it. We recognize that many of the standards and examples we present are oriented towards HTTP. However, with our broad definition of the term API, we also envision the use of event-driven approaches with message brokers. We also utilize the terms: Users, Apps, Clients, and Servers. Users interact with Apps (application software) which are Clients to your API. In contrast, your API acts as a Server to the app. APIs can also act as Clients to other APIs, web services, databases, etc.—all of which we refer to as Servers. It is a common practice to use the term messaging to describe API calls. We utilize both expressions interchangeably for the purposes of this paper.
User and app authentication
When you are presented with an App ID or a User’s username (claim) in a call to your API, you must be able to verify the authenticity of the claim. This is done with some form of a shared secret. When your API acts as an Identity Provider, it typically authenticates the claim by passing the same credentials to the LDAP server.
Multi-factor authentication (MFA)
Recognizing the weakness of username and password credentials, an App using multi-factor authentication (MFA) demands from the User a one-time usage token they receive after authenticating with the user’s credentials. This token may be delivered through SMS when the App requests an MFA Provider to do so. The User may also have a digital key which is a token that the App can validate. An RSA SecurID is an example of this. When the App receives the token which it validates with the MFA provider, it proceeds to consume your API.
APIs are a strategic necessity to give your business the agility and speed needed to succeed in today’s business environment. But with the increasing cost of security breaches, senior IT decision makers quite rightly want assurances that exposing their data via APIs will not create undue risk. Anypoint Platform can automate the security and governance of your API, ensure that your API is highly available to respond to clients, and can guarantee the integrity and confidentiality of the information it processes.