It’s neither a secret nor a surprise that security is a growing problem in the world of information technology. Cyberattacks are expanding in frequency and scope on a near-daily basis. Every day, new vulnerabilities are uncovered and malicious attacks are launched at a rate that is difficult to keep up with.
Cybersecurity is, as a result, a pressing priority for most organizations. As information systems evolve, the need to increase security only grows. This is where API security comes into play.
What are APIs?
But first, let’s discuss what APIs are. API is an abbreviation of Application Programming Interface, which is essentially a set of definitions for building and integrating application software. APIs allow your applications to communicate with other applications (both private and public) without having to know how they’re implemented. APIs work by enforcing shared standards and protocols that applications use to communicate with one another. REST is the most prevalent protocol, but there are others too such as GraphQL, gRPC, and SOAP.
You can create APIs from existing microservices by defining the API endpoint (i.e.its URL), the exposed resources, the HTTP methods that will be used to access those resources, the format of the request, and response data (including the data types, data structures, and validation rules).
APIs simplify app development, reduce costs, and promote flexibility and collaboration. APIs can sometimes be thought of as contracts. They are essentially documentation that represents how Application 1 can communicate with Application 2. APIs are, in many ways, the glue that keeps microservices architecture together. They create a network that enables and optimizes microservice architectures.
What is API security and how does it differ from general application security?
Some consider API security to be an extension of general application security (AppSec), however, this is not quite true. While AppSec provides the process and frameworks for finding and fixing vulnerabilities, as well as improving the overall security posture of a system, API security deals with attacks that specifically target APIs.
API security is really about making sure communication between endpoints is safeguarded. API security may not be a simple extension of AppSec, but it is an integral part of all modern application security best practices.
Networking plays a more central role in microservice architectures — compared to monoliths — making security far more difficult as the attack surface is broader and more varied with a larger number of endpoints to attack. In monolithic architectures, calls move between different parts of the same system. The system itself must be protected, but each part is safe as it is contained within a (hopefully) secure system. In microservice architectures, calls move across different pieces of code through APIs. Each call must be protected as the system itself is distributed. Security is far more complex.
Why is API security important?
As API adoption continues to grow, so does the importance of proper API security. The Open Web Application Security Project (OWASP) Top 10 most common API security threats highlight how APIs are vulnerable to a number of attacks that can lead to data breaches. Those data leaks can have detrimental consequences for businesses as they can lead to company and customer data being publicly exposed.
What are the top methods of API security?
There are several types of methods that DevOps teams can use to secure APIs, each of which addresses a different type of security breach.
Rate Limiting
Rate limiting is a method DevOps teams can use to control the traffic flow within a distributed system. It ensures hackers cannot exhaust your infrastructure’s resources. It minimizes the danger of Denial of Service (DoS) attacks, where hackers flood your network with requests to shut down an application or prevent your users from accessing the application. It can also prevent malicious parties from exhausting your infrastructure’s resources by flooding your system with more requests than your system can handle. For example, a hacker might send 100 requests per second to a particular endpoint in order to overwhelm the back-end services handling those requests. These attacks can cause your system to become unresponsive or crash. Distributed rate limiting is a potent medicine against both.
Authentication and Authorization
In API security, there is also the need to make sure that only those clients that should have access have access. This is done by enforcing access control through authentication and authorization. By authentication, you’re essentially comparing attempts to access an application to a list of users that should have access. Your list of users might be stored in an internal database or an external identity provider.
By authorization, you’re authorizing users to access the information you want them to. This could be reading, editing, or transmitting data on a certain endpoint. The mechanics of how this works depends on the protocol being used for authentication and authorization. OIDC and SAML are both identification protocols. JWT and LDAP are also used for authentication and authorization. Different API gateways will support different protocols.
Encryption
Encryption is absolutely necessary to promote API security. It is about ensuring calls between services are not read or extracted while they are in transit by anyone listening on your network. Encryption sees to it that messages sent between APIs can only be read and deciphered by the intended audience. In the past, most teams would only encrypt certain messages. In particular, external APIs that would be consumed from outside your network would be encrypted. Today, a zero-trust mindset is becoming increasingly popular.
In zero-trust architectures, all calls sent between endpoints are encrypted, whether public or private. You assume that any message might be intercepted and encrypt its communication to ensure the system remains secure. You never know whether there’s a rogue user or client inside your network. Encryption does come with a certain trade-off in performance. A plain HTTP request will be more lightweight than an encrypted request. However, since cybersecurity is only becoming more and more important, it is ideal to maintain only encrypted API calls within your network.
Observability
Observability is a related but tangential topic when it comes to API security. Insufficient logging and monitoring are also part of the OWASP Top 10 API security threats. Without strong observability methods, you cannot identify and troubleshoot breaches or incidents as they occur. Observability is key in post-mortems too. It’s critical when securing your APIs to have access to logs so you can track who is accessing which application and when they are doing so. It’s key to integrate your API gateway with high-quality solutions for observability.
Prometheus and Grafana are two tools that pair well together to create a single solution that has become an open source standard for monitoring and observability. Instana can expand upon the capabilities already found in Prometheus and Grafana to, with Traefik Enterprise, give developers in-depth visibility into an application and its security.
Enhancing API security with Traefik Enterprise
API security may be intimidating from the get-go, but its importance cannot be overestimated. To get started implementing or enhancing API security in your architecture, perform an assessment of the current state of your architecture. From there, you can gain an in-depth understanding of your APIs and their endpoints, in order to know where you need to add encryption, access control for authentication and authorization, and rate limiting middleware. Choose an API gateway that fulfills your needs.
Traefik Enterprise is an all-in-one ingress controller, API gateway, and service mesh that helps you enhance your APIs across your architecture. It facilitates high-quality rate limiting, authentication and authorization, encryption, and observability. It balances functionality and security with an easy-to-use, developer-friendly approach.
Interested in giving Traefik Enterprise a try? Sign up for a free, 30-day trial, or request a demo today.
References and further reading
- OWASP API Security Project
- The History and Evolution of APIs
- API Gateway: What Is It And Why Is It Essential in Microservices Architecture?
- Rate limiting on Kubernetes applications with Traefik Proxy and Codefresh
- Top 5 API Security Best Practices for Protection, Resilience, Reliability and Scalability
- Capture Traefik Metrics for Apps on Kubernetes with Prometheus
- Eating the Kubernetes Observability Elephant with Instana and Traefik