“Most cloud services use multi-tenant API gateways to identify and verify users. There’s an obvious problem here…”
The growth in the public cloud worldwide shows no sign of slowing down, with the market predicted to be worth around 160 billion U.S. dollars by 2020. And this trend has become even more widespread in the UK since the introduction of the Government’s Cloud First policy in 2013, which aims to make the cloud the default choice for a variety of computing services. While the UK Government’s Austerity Programme has had some effect on take up, the overall trend is still consistent. Many UK departments have already made this decision based on risk management assessments.
Migration to the cloud essentially means moving sensitive government data to a third-party infrastructure and often relying on that third party for security.
Government guidelines say that with cloud services, users need to take ‘a shared approach to responsibility … [and] Where appropriate you should layer security controls on top of those built into the cloud services you are using.’
Ideally the government should itself own the cloud where the data is stored, but the cost and effort required for this may often be prohibitive and of course no system used on the internet is guaranteed to be 100% secure.
This means that highly personal information, including names, addresses, National Insurance numbers, tax submissions, property registration, defence capabilities, passports, medical records and driving licences, may be stored in data centres operated by the major public cloud providers such as Amazon Web Services or Microsoft Azure.
Both of these providers are highly favoured by the UK Government, but both have experienced security breaches in recent times and there are also some legal requirements that need to be considered such as the Data Protection Act and the EU’s GDPR Directive.
APIs: Enabling the World
All of this stored data is accessed remotely via APIs (Application Programming Interfaces) which control how different pieces of software communicate and interact with each other. APIs represent the communication synapses amongst cloud applications and allows applications to talk and share data with each other over the internet.
APIs underpin almost everything we do every day, from banking to shopping to controlling our heating. APIs have also enabled the growth of most of the major computing trends of the last few decades including cloud computing, and APIs have also had a role to play in the widespread adoption of smartphones and tablets (and any other smart and connected devices like fitness trackers and smartwatches), the Internet of Things, and even social media..
It doesn’t matter how secure the cloud service provider is, the APIs by which data is accessed will always remain a weak link in the chain, and therefore a major target for hackers. This is very alarming because functionality, not security, tends to be the primary concern when building an API.
Securing APIs is an afterthought and often a false sense of security. Choosing API providers that are based on toolkits or lightweight API gateways provide only a small portion of security capabilities for APIs. In fact, most API products simply provide access control and tout it as API security. However, API security is much more than access control. APIs are the conduit of inbound and outbound data for your applications and thus data security, intrusion detection, data leakage, data privacy, and data integrity are all essential aspects of API security missing in the cloud provider and API toolkit’s capabilities.
API vulnerabilities are not always easy to spot and require specialised technology for detection and prevention. In fact, if you look at the latest version of the OWASP Top 10 (the highly respected, peer-reviewed list of the top vulnerabilities facing organisations today), 9 of the top 10 vulnerabilities now note APIs.
This top 10 listing is derived from actual deployments and reported threats, and thus clearly demonstrates the growing API risks and the need to treat API security as a critical aspect of your cybersecurity strategy.
Cloud API Security Gateway
Most cloud services use multi-tenant API gateways (meaning shared across different customers and applications) to identify and verify users, as well as to act as the single point of entry across many disparate APIs.
There is an obvious problem here in that the very location that is designed to share information is also the same place that needs to be most highly protected and secured. The API gateway, acting as the single point of entry, also becomes the target of compromise. Due to their role as the gatekeeper into the service, then by definition this is the main focus of a hacker attack. If a hacker can compromise the API gateway, then they will have access to the applications and systems directly.
The only way to truly protect the data held in a public cloud is to embed secure API gateways within the cloud itself. Secure API Gateway technologies are “API Security Gateways”. The key difference is that these products are cybersecurity products first and foremost, not just integration products.
API Security Gateways adhere to fundamental secure product architecture principles such as a locked down and secure operating system, self-integrity health checks to detect compromise, integrated PKI engine, and independent security certifications which validate the security and integrity of the product itself.
Take Control: Don’t Leave API Security to the Cloud Providers
Trusting arbitrary security to the cloud vendor gateway will leave your cloud application blind to attack. Your corporate security is one important aspect that should not be entirely outsourced. Realisation of cloud benefits does not have to come at the cost of someone else being relied upon to protect your company and your company’s reputation. Deploying API Security Gateway technology in the cloud allows your company to control your own governance and security policies and ensures that a provider’s compromise will not impact your deployment.
By deploying its own API Security Gateways directly in the public cloud, the public sector can yield the benefits of the cloud while still retaining ultimate control and security over its data.