Insecure API Cloud Computing: The Causes and Solutions

November 16, 2020

In an ideal world APIs streamline cloud computing processes. But it's not always that black and white. There's a gray area where APIs, when left unsecured, can open lines of communication that allow individuals to exploit private data. And there are numbers to back up the reality of this threat.

 

In 2018 alone, insufficient API security was the cause of at least half a dozen high-profile data breaches. By 2022, Gartner estimates that APIs will be the vector used most frequently in attacks involving enterprise application data.

 

 

What Makes Insecure APIs Such a Looming Threat?

One reason cyber criminals are drawn to cloud APIs is that they have become the norm in IT infrastructures. According to a recent study from Imperva, over two-thirds of organizations expose APIs to the public so business partners and external developers can access software platforms. The study results also indicated that the typical organization manages an average of 363 APIs, and 61% of organizations reported that their business strategy relies on API integration.

 

As dependency on APIs increases, cybercriminals have found two common ways to leverage them for malicious purposes.

 

The Exploitation of Inadequate Authentication -
In some cases, developers create APIs without authentication. As a result, these interfaces are completely open to the internet and anyone can use them to access enterprise systems and data. Think of it as walking around a neighborhood trying doors until you find one left unlocked.

 

Profiting from Increased Use of Open-Source Software -
A component-based approach to software development has become commonplace in the IT world. To save time, many developers incorporate open-source software into their code. This can leave many applications open to supply chain attacks. For instance, a developer could download components from public online Docker hubs that are unknowingly tainted with cryptocurrency mining code.

 

Leaking Information to the Web -
Modern development processes emphasize efficiency and velocity. As a result, many configuration objects find their way onto the internet, with potentially catastrophic results. A simple Google or GitHub search can turn up this information in a matter of seconds. This information can be AWS or other Cloud Service Provider API keys, root passwords configured in Dockerfiles or much more. It’s crucially important to keep tabs on credential information that can potentially be exposed.

 

 

The Best Defense Against Insecure Cloud APIs

To avoid accidental or malicious data exposure via APIs, businesses should consider adopting the following best practices:

 

  1. Encourage developers to practice good "API hygiene." APIs should be designed with authentication, access control, encryption and activity monitoring in mind. API keys must be protected and not reused.
  2. Rely on standard API frameworks designed with security in mind. Examples of this include the Open Cloud Computing Interface (OCCI) and the Cloud Infrastructure Management Interface (CIMI).
  3. Ensure complete visibility into the enterprise security environment. Even with comprehensive policies for cloud API design, security issues are never off the table. Businesses must invest in solutions that provide complete visibility - like network detection and response - so security teams can quickly identify and address API security risks.
Matt Cauthorn
VP Security | ExtraHop
Matt Cauthorn oversees the ExtraHop Networks Security Sales Engineering and enjoys studying the intersection of business and technology. Prior to joining ExtraHop, Matt was a sales engineering leader at F5. He’s a passionate technologist and evangelist. He holds an MBA from Georgia State University and a Bachelor of Science degree from the University of Florida. Matt speaks at industry events, has been featured on podcasts and is quoted in industry coverage.
Would you like to speak to an advisor?

How can we help you today?

Image
field-guide-cloud-list-image@2x.jpg
Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation
Image
OptivCon
Register for an Upcoming OptivCon

Ready to speak to an Optiv expert to discuss your security needs?