Cloud Services and Security – Considerations for better API Security

January 22, 2018

APIs are the vulnerable underbelly of modern hybrid cloud services. Organisations are moving to cloud services to save money, streamline IT provision and make the management of the infrastructure someone else’s problem. Yet moving to the cloud poses its own set of unique security threats, with new risks needing to be properly managed. Without a cogent and well thought through strategy, your shiny new IT solution could well be your company’s downfall. API Security must be a priority.

Why Are Cloud Systems So Risky?

Cloud solutions run on someone else’s hardware, datacentre infrastructure and networking. The cybersecurity risks posed by multitenant virtual machines, using shared hardware resources and storage, with shared databases and shared cryptographic systems, serves to extend the attack surface businesses face today.

Given the lack of control consumers have over the underlying cloud technologies and the software they run on, the threats organisations need to focus on are those directly under their control. Loss of sensitive or personally identifiable information (PII) presents the biggest threat.

Key considerations when adopting a cloud service

A variety of considerations need to be reflected upon prior to adopting a cloud service, such as:

  • Access control needs to be integrated and managed, aligning it with corporate policies;
  • Sensitive customer information (PII) stored in the cloud should be encrypted, since the threat posed by malicious insiders in the workforce of the cloud service provider is real;
  • Interfaces between your organisation and the cloud service provider need to be secured from API hijacking, impersonation and session hijacking;
  • Code reviews, penetration tests and vulnerability assessments should be used to de-risk service on boarding.

API Security

Cloud services are accessed through application programming interfaces (APIs) or directly through browsers. APIs are used for provisioning users and services, as well as management and service monitoring. These activities all need to be secure.

APIs should prevent remote threat actors from gaining access to cloud instances and data, and they should protect consumers from accidental misconfigurations that might expose them to attack. One issue is that APIs are not the only component in the attack surface: you also need to consider third-party add-ons, as you do with browser technologies.

Furthermore, you need to control access, as you do with internal on-premise applications, since individual teams might misconfigure something that allows users to bypass your access control policy. Even mobile applications pose a threat since they can expose data to attack from malicious applications also installed on users phones.

Some threats also pass credentials to external sites, where criminals harvest them and launch further attacks against the users and masquerade as those users to extract data from the cloud-based service.

Most cloud service providers are concerned about security and build controls into their APIs. By way of example, Amazon’s API Gateway provides several mechanisms to control access, including metering and tracking of API usage via specially provisioned private API keys. Amazon’s identity and access management system allows organisations to define role-based access policies so that your stringent access control rules for separation of duties and privilege management translate directly into the cloud service.

Most APIs provide a variety of communication protocols and include encryption. You need to understand how APIs works and what their options are, and you need to know whether it’s important to protect that communication channel. Any channels to APIs that carry PII should be encrypted in a secure channel, with appropriate authentication. All insecure protocols should also be deprecated and only fully-authenticated users should be able to gain access.

Considerations for Better API Security

If the API you need to interface to doesn’t provide inherent security, you should really consider whether you want to take that risk. Providers like Amazon and Microsoft have IPSec capabilities built into the systems, so tunnels between the cloud and the customer can be established to protect all data in transit. Even if the API cannot use IPSec, you can revert to SSL/TLS, which provides adequate transit security.

Note: Encryption brings a plethora of problems, including management of digital certificates and the potential for misconfigurations and inherent vulnerabilities in the cryptographic protocols. However, encryption will protect your data in transit and at rest, so you need to understand how it helps you secure your data. These potential technical issues are not good reasons to ignore the protection of your PII.

The next thing to consider, especially when you have little control over what goes on behind the scenes, is to look at protective monitoring of API usage. If you use a technology gateway, such as a Cloud Access Security Broker (CASB) to broker and manage access to the cloud service provider’s gateway, you can ingest the logs created from access requests, communication channels and data transfers and profile them using data mining tools. Your security operations centre is well versed in data mining, using Security Information and Event Management (SIEM) technology to look for behavioural anomalies, indicators of attack and compromises, so hooking the cloud-based service logs into your SOC makes a lot of sense.

Cloud Services are here to stay – get ready

Cloud services are here to stay and investments from Amazon and Microsoft, as well as Google and other smaller providers, means any business can realise value from moving to the cloud. APIs provide access to cloud resources, but misconfigurations and vulnerabilities expose data to attack, so it is vital that organisations take time to understand what can be done with API Security.

Compose a threat model for the cloud, and consider putting architecture in place that manages access to the services from your business, such as a CASB configured to log access requests and throttle connection attempts that look like attacks. Ingest logs into your SIEM tool and have your incident response processes updated to provide appropriate steps to investigate and eradicate threats. To better secure your cloud service,  make API Security a priority.

To learn more about security in the cloud, read our white paper Cloud Security Monitoring to ASD Essential Eight:

A White Paper discussing cloud security monitoring against the ASD Essential Eight