![]() ![]() ![]() Realistically, API keys should be paired with additional authentication factors such as certificates (option d). If API keys are used, ensure that consumption is monitored and rotate API keys often. API keys alone are not a sufficient form of authentication and should be used primarily as one form of identification. API Keys: This is a static key or id identifying the consumer.It is an older authentication method and is not recommended. Basic Authentication: This is where consumers pass username/password in headers.There are several methods that support authentication: ![]() The API also should support federated identity providers as most organizations have multiple security contexts and identity stores/providers. While it is possible to challenge a user for additional authentication material in a session, this option is not available for machine communication. When considering security best practices for authentication and authorization, API and the IAM should be able to differentiate between user identities and machine identities. The identity of the consumers is stored in Identity Access Management (IAM) and is now used heavily to control access to functionality and data, and is also an enabler of zero-trust architectures. Authentication and authorization are foundational to all security domains, including API security.Īs organizations have shifted towards heavily distributed architectures and the use of cloud services, the traditional security best practice of locking down a perimeter has become less useful. Authorization involves verifying whether that authenticated entity actually has permissions to execute a function or CRUD (create, read, update and delete) operations on data. Authentication and AuthorizationĪuthentication involves identifying the requester of information or resource and challenging that entity for authentication material or credentials. Let's review each of these characteristics or pillars in detail. This includes the ability to scale API based on load, prevent overloading of upstream services and protect against denial of service attacks. Interface/API documentation provides security benefits like message validation that prevents harmful data attacks, SQL injection, sending too big messages (by validating the size of the message), etc.Īvailability: It must be always available and respond to requests. Safety: It must provide interface documentation that details request, response and authentication/security schemes. This is achieved through message encryption and transport layer security (TLS). It is necessary to hide those details from the point of delivery by the consumers to the reception by the API and server. The message/data may have private details like personally identifiable information (PII), personal health information(PHI) or financial information that should be kept confidential. The integrity of a message sent by a known consumer is assured, but in transit, it may have been spied on or sniffed by a third party. This is achieved through verification that the message was not modified using digital signatures.Ĭonfidentiality: It must be able to guarantee information confidentiality. It will only process if it knows that it has not been modified or tampered with by a third party in transit. Integrity: It must be able to guarantee the integrity of the information it receives from the consumers and servers that it collaborates with. This is achieved through retrieving scopes, roles, groups and other attributes associated with these consumers based on the identity. This is achieved through various forms of authentication.Īuthorization: An API should support role-based access to data and provide the data only if consumers are authorized to consume it. In order to guarantee this security quality, APIs should have the ability to identify these consumers. Let’s collectively call the users, applications and servers the "consumers" of the API. API SecurityĪ well-designed API should support the following security characteristics or pillars:Īuthentication: An API should guarantee the confidentiality of the information it processes by making it visible only to the users, applications and servers that are authorized to consume it. In this post, I will review security considerations for an API gateway and how the capabilities of the Kong Gateway address them.įirst, let's review different aspects of API security in detail. API security starts with authentication and authorization, then data security and availability. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |