Welcome!

@CloudExpo Authors: Elizabeth White, Liz McMillan, Pat Romanski, Yeshim Deniz, William Schmarzo

Related Topics: @CloudExpo, Industrial IoT, Microservices Expo

@CloudExpo: Blog Feed Post

Protecting API Keys By @Axway | @CloudExpo [#API]

What can be done to help the API Key security situation?

Back in 2011, while CTO at Vordel (API security/management vendor which was acquired by Axway in 2012), I wrote a piece for the Cloud Security Alliance blog entitled "Protect the API Keys to your Cloud Kingdom". In it, I talked about the importance of protecting API Keys. I wrote that:

API Keys must be protected just like passwords and private keys are protected. This means that they should not be stored as files on the file system, or baked into non-obfuscated applications that can be analyzed relatively easily.
https://blog.cloudsecurityalliance.org/2011/04/18/protect-the-api-keys-to-your-cloud-kingdom/

Fast forward to 2015, and API Key security is more important than ever. This week, Janet Wagner wrote in ProgrammableWeb about how API Keys can leak from sources such as insecure build pipelines. API Keys are now starting to be recognized as just as important as passwords or private keys. However, much of the damage has been done, due to the proliferation of apps which make insecure usage of API Keys, and the insecure storage of API Keys on the server side.

What can be done to help the API Key security situation? Here are some remedies:

Put an API Management strategy in place
Of course, I work for an API security/management vendor (Axway), so you might think "he would say that". But, having an API Management strategy in place means that API Keys are protected at Runtime by an API Gateway, and issued at Design Time by an API Portal. What all of the recent API Key vulnerability victims have in common is a lack of an API Gateway in place, or an API Management strategy. An API Management strategy allows administrators to manage how API Keys are issued, typing them to the lifecycle of the API. In the screenshot below, we can see how an API Key can be issued for an app (in this case, the sample API Days voting app used at our API Security workshops at the API Days conference):

Remember to secure outbound API Keys

In her ProgrammableWeb piece, Janet Wagner makes the great point that "Amazon Web Services is a Primary Target for Hackers", and therefore "Secure your AWS Credentials". Losing track of API Keys for services such as Amazon can be costly, since attackers can use them to run up a huge bill for services. It's often not realized that an API Gateway can be used in an outbound direction to manage client credentials for services such as Amazon. In the screenshot below, we see Amazon AWS credentials being managed at the Axway API Gateway. This means that the API Keys are not sitting on a hard drive, or baked into an application, but instead are managed under the umbrella of an API security gateway:



Don't simply send an API Key in the querystring

It is amazing how many APIs are designed such that the API Key is sent in the querystring, effectively being a "username without a password". If an attacker gets a hold of a valid request, it is trivial to replay the request. This is why API providers such as Amazon provide two keys. One is used for identification, and the other is used for signing. Here at Axway, we provide API providers with an array of API Security options, as shown below:


Manage API Key security across multiple developers and APIs

It should not be a case of "One API, one API Key". A sophisticated API Key strategy involves much more than this, and is tied in with the usage of an API Catalog (the modern-day version of the SOA registry/repository) and the API lifecycle. Consider the list of API management capabilities provided by Axway, and how API Keys and OAuth are central:

    • Centralized API publication with an API Catalog
      • Attract and encourage developers to subscribe to APIs
      • Present API samples, parameter information and automated documentation
    • Secure, self-service functions for API developers, so they can:
      • View details of APIs they’re entitled to
      • Test an API directly from the Portal
      • Browse the API Catalog
      • Learn API usage through interactive Swagger documentation
      • Review API security policies and generate API access keys (e.g. OAuth)
      • View API quota details
    • Management of multiple developer communities, enabling an organization to:
      • Define varied developer groups and grant different levels of API access to each community
      • On-board large groups of developers easily and quickly
      • Manage API clients by defining who, what and how much developers may consume
      • Set security profiles for APIs (OAuth, API key, and more)
    • Visibility, measurement, audit control, and analytics
      • Track how data flows and review each step in real-time
      • Audit and debug API traffic as needed

(source: http://www.axway.com/products-solutions/api-management/api-portal)


Keep track of how your APIs are used

I've written before about the value of API Monitoring and Analytics. This is vitally important when you need to drill into API requests and see API key usage. Without an API Gateway in place as part of an API Management strategy, this is very difficult indeed. An API Gateway gathers the information, and then the rest of the API Management platform allows administrators to query API usage based on API Keys. In some recent cases of API Key vulnerabilities, the flaw went undiscovered for months. With API monitoring and analytics in place, that is not possible.

I'm sure this is not the last we will hear of API Key vulnerabilities in 2015. For more information on solutions, including the use of API Gateways for security, see Axway API Management.

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

@CloudExpo Stories
Interested in leveling up on your Cloud Foundry skills? Join IBM for Cloud Foundry Days on June 7 at Cloud Expo New York at the Javits Center in New York City. Cloud Foundry Days is a free half day educational conference and networking event. Come find out why Cloud Foundry is the industry's fastest-growing and most adopted cloud application platform.
For financial firms, the cloud is going to increasingly become a crucial part of dealing with customers over the next five years and beyond, particularly with the growing use and acceptance of virtual currencies. There are new data storage paradigms on the horizon that will deliver secure solutions for storing and moving sensitive financial data around the world without touching terrestrial networks. In his session at 20th Cloud Expo, Cliff Beek, President of Cloud Constellation Corporation, w...
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single threaded, you can effectively identify hot spots in your serverless code. In his session at 20th Cloud Expo, David Martin, Principal Product Owner at CA Technologies, will give a live demonstration and code walkthrough, showing how to ov...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
SYS-CON Events announced today that Outscale, a global pure play Infrastructure as a Service provider and strategic partner of Dassault Systèmes, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2010, Outscale simplifies infrastructure complexities and boosts the business agility of its customers. Outscale delivers a secure, reliable and industrial strength solution for its customers, which in...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
SYS-CON Events announced today that A&I Solutions has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 1999, A&I Solutions is a leading information technology (IT) software and services provider focusing on best-in-class enterprise solutions. By partnering with industry leaders in technology, A&I assures customers high performance levels across all IT environments including: mai...
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software in the hope of capturing value in IoT. Although IoT is relatively new in the market, it has already gone through many promotional terms such as IoE, IoX, SDX, Edge/Fog, Mist Compute, etc. Ultimately, irrespective of the name, it is about deriving value from independent software assets participating in an ecosystem as one comprehensive solution.
SYS-CON Events announced today that EARP will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "We are a software house, so we perfectly understand challenges that other software houses face in their projects. We can augment a team, that will work with the same standards and processes as our partners' internal teams. Our teams will deliver the same quality within the required time and budget just as our partn...
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
SYS-CON Events announced today that Tappest will exhibit MooseFS at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. MooseFS is a breakthrough concept in the storage industry. It allows you to secure stored data with either duplication or erasure coding using any server. The newest – 4.0 version of the software enables users to maintain the redundancy level with even 50% less hard drive space required. The software func...
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
SYS-CON Events announced today that Outscale will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outscale's technology makes an automated and adaptable Cloud available to businesses, supporting them in the most complex IT projects while controlling their operational aspects. You boost your IT infrastructure's reactivity, with request responses that only take a few seconds.
Regardless of what business you’re in, it’s increasingly a software-driven business. Consumers’ rising expectations for connected digital and physical experiences are driving what some are calling the "Customer Experience Challenge.” In his session at @DevOpsSummit at 20th Cloud Expo, Marco Morales, Director of Global Solutions at CollabNet, will discuss how organizations are increasingly adopting a discipline of Value Stream Mapping to ensure that the software they are producing is poised to o...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...