Cover Your SaaS: Ungoverned APIs
Ungoverned application programming interfaces (APIs) are perhaps one of the most common cloud security mistakes I see. While APIs are generally a good thing (they enable automation such as cloud-to-cloud data synchronization and cross-application orchestration) they also provide wholesale access to corporate data.
Perhaps it’s because we’re human ourselves, we tend to focus on what the humans are doing within a given system. Unfortunately, human activity is only half of the equation. APIs are designed to provide broad access to data and business functions within a cloud solution; sometimes without an associated user account. So while end-users enter the system through one door (a web or mobile UI) and use specific authentication scheme (standalone passwords or SAML), the APIs typically have a different entry point (REST, SOAP) and different authentication methods (HTTP Basic, OAuth).
Open / ungoverned APIs can lead to:
- A bad actor slurping your entire Box.net or Google Apps document repository, despite having strong user-level authentication.
- HR solutions such as Workday or Netsuite being vulnerable to former developers, who still possess legacy credentials, and thus may grab every ounce of employee PII you own.
- The enterprise’s email solution such as Gmail or Office365 providing full, privileged access to every email, attachment, and address book entry.
- Video conferencing compromises, whereby APIs are used to record sensitive business meetings.
- The list goes on and on…
Regularly review your API configurations and lend special attention to enterprise-scoped API keys and tokens. It’s imperative to have accounting around which endpoints are being accessed, and by whom.
Securing your APIs requires different skillsets than that of “traditional” network security teams. Knowledge of programming as well as modern web and mobile authentication methodologies is required.
There are more and more solutions that can help security teams review API posture. Sadly, every cloud solution is just a tad different and thus special tooling is often required to automate the monitoring of API security across the enterprise.