Cloud Application Programming Interface (Cloud API): The Cloud Security Alliance (CSA) report “Major Threats Facing Cloud Computing” proposed some emerging risks, and revised and reordered existing risks. The report is titled “Nine Sins: Major Threats to Cloud Computing.” This report is based on feedback from cloud computing and the security community. Many individuals and organizations weigh and compare the risks they face, which risks they should pay attention to. These are the areas that report deserves more attention. Let’s go in details on the Security of Cloud API and the problems to be solved.
As one of the three co-chairs of the working group responsible for the report, I asked many questions about the fourth threat on the list, such as what does “insecure interface and API” mean? What are the risks involved? And how does the organization evaluate and ensure these cloud APIs?
In this article, we will discuss the security of cloud APIs and answer these urgent questions.
Define the Risks of Insecure APIs
First of all, for those who are unfamiliar with what cloud APIs are and how to use cloud APIs, cloud APIs are essentially software interfaces. Cloud providers use cloud APIs to allow users to manage cloud services, typically standards-based cloud APIs. . APIs can make many common cloud computing processes easier and automate more complex business requirements, such as configuring various clouds among multiple vendors, and applying third-party management platforms for cloud and on-premise systems.
However, Cloud API pays special attention to cloud providers and cloud customers. As stated in the “Nine Deadly Sins” report, insecure cloud APIs can bring multiple risks in terms of confidentiality, integrity, availability, and accountability. Although all cloud service providers should pay close attention to the security of their APIs, it varies from person to person. Therefore, it is important to understand how to analyze the security of cloud APIs.
A good starting point for analyzing cloud provider APIs is Gunnar Peterson’s Web Services Security Checklist (PDF), which raises many questions similar to the CSA report. The following includes some of the main areas that customers should focus on:
1. Transmission security.
Most APIs are provided through many different channels, but APIs that need to interact or carry sensitive data should be protected through secure channels, such as SSL/TLS or IPSec. It may be difficult or impossible to establish an IPSec channel between a cloud service provider (CSP) and a customer. Therefore, it is easier to establish an SSL/TLS channel. However, this brings a lot of potential problems. For example, when the agent platform must be used as an intermediate medium, there will be problems in the generation and management of valid certificates authorized by internal or (more common) external certificates, configuration problems of platform services, software integration and terminal End-to-end protection issues.
2. Identity verification and authorization.
Many cloud APIs focus mainly on authentication and authorization, so for many customers, this is also a key area of ​​focus.
Questions for consulting CSP include:
- Can API manage user name and password encryption?
- Secondly, Can two-factor authentication attributes be managed?
- Can fine-grained authorization policies be created and maintained?
- Is there continuity between internal identity management systems and attributes? and
- Is there continuity between the internal identity management system and the API extension attributes provided by the cloud provider?
3. Code and development practices.
Any API that is sent through JSON and XML messages, or accepts user and application input, must undergo rigorous testing of standard injection attacks and cross-site request forgery (CSRF) attacks, pattern verification, and input and output encoding.
4. Message protection.
In addition to ensuring that the code generation follows * practices, other factors that the API mainly considers include message structure, integrity verification, encryption or encoding.
5. How to ensure the security of cloud API
Once the organization has a good grasp of the problems caused by insecure APIs, it can take measures to ensure cloud APIs. First, determine the API security of the cloud provider through the API documentation, including the existing application assessment results and reports. These are presented in the form of the Attestation Business Standards 6 Report (StatementonStandardsforAttestationEngagements*6) or other reports. Practice and audit results. Dasein Cloud API is a good example of open source and extensible cloud API documentation.
In addition to the documentation, the customer should ask the cloud provider to be able to perform penetration testing and vulnerability assessment on the API, or the cloud provider can complete these tests by themselves, or through a third-party supplier to complete these tests, and the customer and potential customers can reach confidentiality Agreement, so customers can evaluate security practices. Use the combination of network and application control, as well as good development practices and QA testing, to protect the API of Web services and prevent the top 10 vulnerabilities in the list of common application security vulnerabilities in open web application security projects.
Cloud Service Providers
In addition, many cloud service providers provide customers with encryption keys that utilize API access and authentication mechanisms. It is vital for customers and cloud service providers to protect these keys.
The security policy can ensure the rationalization of the generation, transmission, storage, and processing of the key, and the key should be safely stored in the hardware security module or other encrypted file storage. It should be avoided that the key is embedded in configuration files or other scripts, or directly embedded in the code, because these situations will update the key and make the key a nightmare for and others.
Cloud service providers, such as Amazon and Microsoft’s Azure, include hash-based message authentication codes with symmetric keys, which have integrity and avoid the transmission of shared secrets through untrusted networks. Any third party that builds a CSP-based API should follow this recommendation, focusing on keys (and general API security) like CSP.
Topics related to The Security of Cloud API and the problems to be solved
- how to overcome security issues in cloud computing
- List of cloud security issues and solutions
- 2021 cloud computing problems and solutions
- cloud computing security issues and solutions pdf
- cloud computing security issues and challenges
- how to improve security in cloud computing
- what are the security challenges if any with cloud computing
- cloud application security issues
Conclusion
With the development of cloud application development and integration, there is no doubt that cloud users are facing serious threats brought by insecure APIs. Fortunately, suppliers also face the same problem, which will not appear in the next-generation CSA hot threat list.
