[caption id="attachment_20821" align="aligncenter" width="400"] © 2000 - Warner Bros. Entertainment, Inc.[/caption]
30 foot waves crashing all around. Constant rain. Cold. Hope is lost. This is the scene in George Clooney's tragic film, the Perfect Storm, which climaxes in the vain efforts of a group of sailors trying to push through a raging hurricane to get a boatful of fish to port. As I watched a rerun of this film the other week, I asked myself why these characters risked their lives to get through the epic storm. Desperation was my answer. They had tens-of-thousands of dollars worth of product on board, and each fisherman desperately needed that cash. Desperation always leads to bad decisions, not just in fishing, but all forms of business (and life in general).
This is important to be mindful of because a perfect storm is on IT’s horizon. From your vantage point, you may not recognize the severity of the peril that lies ahead or, worse still, you see it but are not taking appropriate precautions. Like Clooney and his comrades, you may be underestimating the severity because you desperately need to launch your product, get more cash, payback debtors, satisfy investors, or other near-term motivations that could lead to your demise. I really hope you don’t share the sailors’ fate. To help ensure that you don’t, in this article, I will point out where this perfect security storm is stewing and how you can safely sail around it.
IT’s Perfect Security Storm is Brewing
Like the collision of hot air, thermal drafts, and the jet stream that led to the 1991 Perfect Storm depicted in the Clooney movie, there are three factors that are colliding to bring about a very dangerous situation for IT organizations:
- The massive uptick of portable devices, cloud computing, big data, and social networking which are mobilizing and connecting society
- Enterprises are moving into the API space (either voluntarily or as demanded by customers/partners)
- API providers are growing into large-scale ecosystem players
The combination of these three phenomena are leading to the perfect security storm. Let me elaborate a little on what I mean by each of these, and then give you a map, so to speak, that will help you avoid the dangers that they’re creating.
Nexus of Forces: The Eye of the Storm
The center of this storm is what Gartner calls the Nexus of Forces. What they mean to describe with this term is the “the convergence and mutual reinforcement of four interdependent trends: social interaction, mobility, cloud, and information. The forces combine to empower individuals as they interact with each other and their information through well-designed ubiquitous technology.” These powerful new trends have been reshaping our societies for nearly a decade and will continue to do so for another decade without a doubt. The increased mobility and always-on-abilities that these technologies are now enabling are forcing families, schools, social groups, and governments to reorient themselves. They are causing a paradigm shift that rivals the one introduced by the Internet on which these are delivered.
Enterprises Enter the API Scene
These social shifts are also impacting businesses in all industries. Social, mobile, and cloud are allowing enterprises to reach customers more easily and with a more personal touch. They are forcing organizations to change their tactics, and deliver value in new ways. They must reach customers where they are, and out-compete others for those precious few seconds when customers are listening. More and more often, this coveted interaction is taking place on mobile devices. A responsive website is a must these days; a flexible website isn’t enough though. For many companies, a mobile app is needed. This applies to not only for-profit companies but also to non-profits. Doctors, nurses, and other physicians, for example, need access to very sensitive healthcare data wherever they’re working. Retailers, transportation providers, charities – all are using mobile channels more and more. Whether your providing health-care data, manufacturing information, products specs, or other data, consuming these resources from a mobile app requires an Application Programming Interface (API). This contract forms the bridge between mobile users consuming your apps and the data those apps need to perform their function. Because mobile is here forever, APIs are as well!
API Providers are Growing in Size
This underlying requirement that mobile apps have for APIs and the increasing adoption of the mobile channel by businesses and consumers is causing API providers to grow to new heights. As more and more organizations enter the market, the need for specialized capabilities is accelerating the growth of API companies into massive platforms. On the basis of these providers, entire markets are being served and smaller supplies are adding value on top of them. This growth from API provider to ecosystem can clearly be seen by observing Salesforce and Amazon. When you look at Google and Facebook (who each provide dozens of APIs), you have to wonder if these platforms are too big to fail! Growing beyond API provider to large-scale platform is not limited to these cliche examples either; other lesser-cited cases include Twilio, Podio, Pearson,Elance-oDesk, Fyndiq and more.
Culminating into a Raging Tempest
The collision of the Nexus of Forces, increased enterprise adoption of APIs, and the growth of Web service providers into bona fide API platforms is bringing about the perfect security storm. The combination of these things is resulting in more high-value data being accessible over the Internet. Social has made people more open to sharing online; organizations have emptied server rooms of the data they once contained, moving it the sky; with mobiles, we can get to this data from anywhere at any time. It’s not just us though. Hackers can too!
The mass availability of data is what has led to so many record-breaking breaches of late. Surely, you’ve read about some of them: Heartbleed, Shellshock (the Bash bug), POODLE. There are far-reaching security vulnerabilities that strike at the heart of the Internet. These types of security issues are what has led to breaches like those affecting Kmart, the Home Depot, Target, and so many others.
Increased Frequency of Attacks
There is no sign of the storm abating, unfortunately. In fact, it will increase in the near term, and we will see more and more of these large-scale breaches. Attackers will concentrate on valuable targets like:
- High-worth individuals (CxO, sexy film stars, etc.)
- Enterprises (e.g., Sony Pictures Entertainment)
- API platform providers
Recent examples of this are the targeted attacks on Sony and the #Fappening. About the former, US Secretary of State, John Kerry, says that the “unprecedented attack [on Sony will] only strengthen our resolve to continue to work [to] ensure that the Internet remains open, interoperable, secure and reliable.” This type of resolve and dedication to preparedness is exactly what’s needed. How can you prepare yourself and your company? How can you secure your API and prepare for the ensuing storm? You must protect yourself, your employees, and your IT systems.
Protecting your People and Platform
API platforms are being – and will increasingly be – targeted by attackers. Hackers recognize that API providers are exposing their core business value through Web-based endpoints. By focusing on API providers who have achieved critical mass, the attackers are more likely to find data and information that will give them a large return on their efforts. Due to their large-scale deployments, API platforms expose many potential points of vulnerability. Taken together, this makes API platforms lucrative and sensitive targets.
Start by Protecting Yourself & Your Staff
To avoid such attacks, it starts with you. You need to take certain counter measures, and see to it that your staff does the same. Work within your organization to enact policies that will require all employees to use effective security practices. As you define these, take into consideration the following protections:
- Reduce the number of passwords that people need to use by implementing Web Single Sign-on (SSO)
- Demand 2-Factor Authentication (2FA)
- Don’t reuse passwords across sites
- Use a password manager to store passwords
- Make sure developers aren’t storing passwords in code
In general, your goal should be to reduce the number of passwords you and your staff are using. Combine a password with a second “factor” or proof of one’s identity (e.g., a mobile phone or hardware key fob). Multi-factor authentication and SSO will increase your security and User Experience (UX) at the same time.
Don’t wait to do these things until you have a corporate policy requiring them! Get a password manager right now, and protect it with some form of 2FA (e.g., a grid key or hardware token). Don’t stop there though.
Protect your Platform
With API platform security, you must architect it into the system. You cannot bolt it on afterwards. No matter what anyone tells you, throwing an API proxy server in front of your actual API won’t make your platform secure. You are going to need that, but it isn’t a cure-all. What you need to do is sit down, think deep, and come up with an architecture that is secure by design. Only after starting with a secure base can you implement safely.
To start, you should consider building with the Neo-security Stack. This is a suite of protocols and standards that address the security concerns that any API platform will have. Specifically, this stack includes the following:
- OAuth 2 for delegated access
- OpenID Connect for federation
- JSON Identity Suite for encoding digital identities
- SCIM for user and group provisioning
- U2F from the FIDO Alliance for authentication
- ALFA for authorization
To assemble these specifications into a security system that can protect your API, you will need to dive deep into these API security standards. Don’t shortcut this upfront work anymore than you would the boarding up of your windows before a hurricane. After you’ve studied up on these, learn more about API platform security architecture, OAuth as it related to microservices, and the need for identity management in API security. Also,check out this YouTube video (skip to 20:05) to learn about the security subsystems that you should include in your API platform:
Conclusion and Recommendations
In today’s hostile Internet environment, API security is very serious. There are organized criminals that are making good money in cybercrime, and you don’t want to fall victim to their attacks. To avoid it, you need to prepare yourself. Do this by:
- Securing yourself and your personnel
- Protecting your infrastructure and systems
- Building on modern, open standards
- Using purpose-build security products
- Architecting your API to be secure by design
- Continually test your API for security vulnerabilities
As you scale up to be a platform, API security becomes vital. I hope that you have found this information helpful. If you have questions or thoughts about any part of this post, I invite you to comment here or on Twitter. I also hope that the perfect security storm that’s brewing on the horizon will blow over you with any harm.