Exposed APIs Are A Threat To Cloud Computing

Media Division | March 7, 2014

Cloud computing API market has undergone unprecedented growth in recent times, yet providers continue to face major challenges including security enhancement and patching of exposed APIs.

Exposed APIs in cloud computing are accompanied by risks relevant to accountability, integrity, confidentiality and availability. The risk might be deemed small, but the layers of consequences destructive.

Snapchat, the company that uses Google’s cloud platform, saw its API spill to a hacking organization. Though Snapchat doesn’t publicly expose its API, it can be documented and exploited. The root cause is the way APIs are initially written and protected.

Stanford University and University of Texas at Austin researchers through a research of renowned web services informed that interfaces used by third-party developers have significant flaws. Cloud infrastructure at payment service giants PayPal and Amazon, Chase mobile banking and other web-based apps consist of vulnerabilities in their SSL (secure sockets layer) protocol implementation. The survey paper concluded that apps can be used to allow access into sensitive data through API utilization.

API authentication and token access

Authentication on the web includes a dialog that prompts the third party for credentials. APIs use an access token for user authentication; it’s obtained through an external mechanism such as OAuth or during sign up. The token passes on a request to the API and then gets validated for further processing.

The token during its validation is vulnerable to third-party hijacking when a database is hacked. Buffer database suffered similar fate as Facebook and Twitter API tokens were stolen to post information on behalf of clients.

Also, OAuth protocol has its own weaknesses in such breaches, which can be used by hackers to collect and post sensitive information.

Network and component vulnerabilities

API network can be susceptible to socket flooding, DoS & DDoS attacks and buffer invasion. DOS and DDoS hacks in particular can cause serve access problems for the users and delay service pages.

Apigee reports on its blog that DoS attacks against APIs are a growing threat. The source cites AWS (Amazon Web Services) had to face delayed recovery because of API errors in June 2012 power outages. Though it wasn’t clear that it was a deliberate attempt or an API DoS attack, it left a significant impact on Amazon Web Services operations.

Though organizations can disable access token for application access and authentication as a remedial measure, the standard browser request can be used to reacquire the key.

Best practices for hardening API security

To overcome the nuances of exposed API threats and newer breeds of vulnerabilities, organizations need to implement a solid security strategy. Some of the following measures define the way forward:

1. Robust authentication

Robust authentication mechanisms and multiple access controls can assist in better prevention of breaches like DoS attacks. These mechanisms can include two-way transport layer security (TLS authentication), security assertion markup language (SAML) authentication and OAuth.

Though robust authentication management can act as a shield against deliberate DoS attempts, it won’t help efforts of organizations where APIs are overused. The latter case would require maintaining user base under the arrest and quota capabilities of the API platform.

2. Frequent monitoring

Monitoring helps in identifying API usage patterns and access locations at different times. Sudden aggregated API traffic could be a sign of a DoS attack while peak usage of an API plan allocation may come from an anonymous login.

Tools and services are making it easy for organization to keep tabs on API status. Zapier launched a monitoring tool last year that shows the downtime and uptime of every hosted API. Such offering present companies the convenience of finding the behavior of their APIs and monitoring flexibility through email, SMS and other notifications.

3. IP address restrictions

An IP address restriction company-wide policy can go a long way to protect APIs. This is more than useful to organizations who want to deny user requests coming from a particular IP address range; the API user profile will automatically adjust with the IP restrictions.

For further protection, a rate limit can be set on enabled IP addresses as well as extensive caching.

How do you protect client and public exposed APIs? Feel free to leave comments.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.