Click here to close now.




















Welcome!

@CloudExpo Authors: Liz McMillan, Srinivasan Sundara Rajan, Dan Koloski, Pat Romanski, Elizabeth White

Related Topics: Microservices Expo, Java IoT, Linux Containers, @CloudExpo

Microservices Expo: Article

One Simple Step Can Make Your APIs More Secure

APIs have unique risk profile that must be managed

APIs - application programming interfaces -- are an old technology that has become today's hottest method for getting critical data to mobile apps. APIs are good for business. APIs drove $2 billion in business for Expedia by securely exposing valuable content to its affiliate network.

But there are hidden dangers to using APIs. APIs share many of the same threats that plague the web, but APIs have unique risk profile that must be managed. It is a mistake to think we can secure APIs the same way we secure the web.

But there are some really simple things that anyone implementing an API can do, right now, that will minimize the risk of APIs. Here's one I've pulled from a new eBooklet by Scott Morrison of CA Technologies called Five Simple Strategies for Securing Your APIs. The tip? Turn on SSL for your API and keep it on.

Most of us surf the web every day with no SSL (Secure Sockets Layer), and the only time we use it is when we're on Amazon.com and we're buying a book and need to put in our credit card number. We turn it on to buy the book, and then we turn it off because, in the early days of the web and even up until five years ago, SSL was very costly to run. Web sites were getting hammered by traffic, and using SSL slowed things down even more. There was a whole industry that sold SSL accelerator boards for web servers.

This created a culture of only turning SSL on when we really need it. Even though SSL provides strong security if it's applied correctly, we've gotten used to leaving ourselves open and vulnerable because it once hurt our performance to use it all the time.

People are now bringing that same mentality from the web over to APIs. They might have two APIs, one for buying books and the other for looking up shipping costs. Because the buy book API deals with important information, like credit cards, it gets wrapped in SSL. But the other API gets left in the clear. According to Morrison, this is a bad idea, and he thinks everyone should be using SSL all the time for all APIs, full stop.

Google, for example, has shown us that you can connect to their servers with or without SSL with no penalty in performance. The modern CPU is pretty good at doing the kind of floating point math required to do SSL efficiently. And, perhaps more importantly, the cloud has made CPU resources really cheap. It takes next to nothing to provision a few extra servers to handle any extra workload caused by SSL.

The security gains of turning SSL on for all transactions happening on your API far outweigh the minor performance loss. Not using SSL is an example, says Morrison, of the web mentality coming into the API world and being misapplied. APIs are much more vulnerable to attack than web sites. Not using SSL might once have made sense in the web world, but it certainly doesn't make sense in the API world in 2014. Morrison says we should be applying SSL to every API transaction, full stop.

This covers only one of the five simple tips Morrison shares in his eBooklet, Five Simple Strategies for Securing Your APIs. I think you might find the rest of his suggestions equally insightful and actionable.

More Stories By Jackie Kahle

Jackie is a 30-year veteran of the IT industry and has held senior management positions in marketing, business development, and strategic planning for major systems, software, and services companies including Hewlett-Packard, Compaq, and Gartner. She currently manages the strategy and execution of CA Technologies thought leadership programs. Jackie has an MBA from the Whittemore School, University of New Hampshire, a BA in Mathematics from New York University and is the Vice-Chair of the N.H. State Council on the Arts.

@CloudExpo Stories
"We've just seen a huge influx of new partners coming into our ecosystem, and partners building unique offerings on top of our API set," explained Seth Bostock, Chief Executive Officer at IndependenceIT, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Arch...
Chuck Piluso presented a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. Prior to Secure Infrastructure and Services, Mr. Piluso founded North American Telecommunication Corporation, a facilities-based Competitive Local Exchange Carrier licensed by the Public Service Commission in 10 states, serving as the company's chairman and president from 1997 to 2000. Between 1990 and 1997, Mr. Piluso served as chairman & founder of International Te...
It is one thing to build single industrial IoT applications, but what will it take to build the Smart Cities and truly society-changing applications of the future? The technology won’t be the problem, it will be the number of parties that need to work together and be aligned in their motivation to succeed. In his session at @ThingsExpo, Jason Mondanaro, Director, Product Management at Metanga, discussed how you can plan to cooperate, partner, and form lasting all-star teams to change the world...
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
Public Cloud IaaS started its life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in adop...
SYS-CON Events announced today that MobiDev, a software development company, will exhibit at the 17th International Cloud Expo®, which will take place November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software development company with representative offices in Atlanta (US), Sheffield (UK) and Würzburg (Germany); and development centers in Ukraine. Since 2009 it has grown from a small group of passionate engineers and business managers to a full-scale mobi...
Digital Transformation is the ultimate goal of cloud computing and related initiatives. The phrase is certainly not a precise one, and as subject to hand-waving and distortion as any high-falutin' terminology in the world of information technology. Yet it is an excellent choice of words to describe what enterprise IT—and by extension, organizations in general—should be working to achieve. Digital Transformation means: handling all the data types being found and created in the organizat...
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin,...
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists addressed this very serious issue of pro...
Discussions about cloud computing are evolving into discussions about enterprise IT in general. As enterprises increasingly migrate toward their own unique clouds, new issues such as the use of containers and microservices emerge to keep things interesting. In this Power Panel at 16th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the state of cloud computing today, and what enterprise IT professionals need to know about how the latest topics and trends affect t...
The essence of cloud computing is that all consumable IT resources are delivered as services. In his session at 15th Cloud Expo, Yung Chou, Technology Evangelist at Microsoft, demonstrated the concepts and implementations of two important cloud computing deliveries: Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). He discussed from business and technical viewpoints what exactly they are, why we care, how they are different and in what ways, and the strategies for IT to tran...
Containers are changing the security landscape for software development and deployment. As with any security solutions, security approaches that work for developers, operations personnel and security professionals is a requirement. In his session at DevOps Summit, Kevin Gilpin, CTO and Co-Founder of Conjur, will discuss various security considerations for container-based infrastructure and related DevOps workflows.
Countless business models have spawned from the IaaS industry. Resell Web hosting, blogs, public cloud, and on and on. With the overwhelming amount of tools available to us, it's sometimes easy to overlook that many of them are just new skins of resources we've had for a long time. In his General Session at 16th Cloud Expo, Phil Jackson, Lead Technology Evangelist at SoftLayer, broke down what we've got to work with and discuss the benefits and pitfalls to discover how we can best use them to d...
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
SYS-CON Events announced today that Agema Systems will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Agema Systems is the leading provider of critical white-box rack solutions to data centers through the major integrators and value added distribution channels.
"Our biggest growth area has been the security services, the managed services - the things that differentiate us in the market that there is no client that's too small and there's no client that's too big," explained Paul Mazzucco, Chief Security Officer at TierPoint, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
Converging digital disruptions is creating a major sea change - Cisco calls this the Internet of Everything (IoE). IoE is the network connection of People, Process, Data and Things, fueled by Cloud, Mobile, Social, Analytics and Security, and it represents a $19Trillion value-at-stake over the next 10 years. In her keynote at @ThingsExpo, Manjula Talreja, VP of Cisco Consulting Services, discussed IoE and the enormous opportunities it provides to public and private firms alike. She will share w...
"Alert Logic is a managed security service provider that basically deploys technologies, but we support those technologies with the people and process behind it," stated Stephen Coty, Chief Security Evangelist at Alert Logic, in this SYS-CON.tv interview at 16th Cloud Expo, held June 9-11, 2015, at the Javits Center in New York City.
"We specialize in testing. DevOps is all about continuous delivery and accelerating the delivery pipeline and there is no continuous delivery without testing," noted Marc Hornbeek, Sr. Solutions Architect at Spirent Communications, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.