Developing cloud applications in the new IT era
A comprehensive collection of articles, videos and more, hand-picked by our editors
Cloud application programming interfaces allow software developers to create code that interfaces with a cloud...
provider's services. But while critical to cloud applications, APIs also have an attack surface that can potentially compromise sensitive business data. This means providers and software developers need to prioritize cloud API security.
Sessionless security practices enable better scalability in the cloud
First, tactics like including a username and password in the body of data or in simple object access protocol headers is not secure. Instead, developers should use sessionless security practices such as HTTP authentication, token-based authentication or Web Services Security. Sessionless security also enables better scalability for the cloud service because any server can handle user requests without sharing sessions between them.
Developers should determine whether an API performs secondary security checks, such as verifying the user has appropriate permission to view, edit or delete services and data. Once initial authentication is cleared, developers often overlook secondary security strategies.
Cloud providers and developers should test cloud API security against common threats, such as injection attacks and cross-site forgery. For the cloud service providers creating the APIs, testing is especially critical. However, users should independently verify cloud API security, as it's critical for auditing and compliance.
If encryption keys are part of the access and authentication methodology for API calls, store the keys securely and never code them into a file or script.
Perform API change reporting
While security is a key part of cloud API construction and use, it's also important to consider change logging and reporting features. These features help track user access to cloud resources, as well as data and configuration changes.
A software developer invokes one or more cloud API calls to change cloud-hosted data, launch new compute instances and alter the resources provisioned to a cloud instance. Each of these activities should produce a log trail that developers can conveniently access. Comprehensive logging can be critical for auditing, legal discovery and other compliance issues.
About the author:
Stephen J. Bigelow is the senior technology editor of the Data Center and Virtualization Media Group. He can be reached at email@example.com.
Considerations for effective API design
Without standard cloud APIs, what should a cloud developer do?
Picking the right cloud provider API
Related Q&A from Stephen J. Bigelow
Version 2.0 of the vRealize Operations Service Discovery Management Pack has been updated with user-defined service discovery, but consider the ...continue reading
Admins can view infrastructure information in the services relationship, VM relationships, service distribution and service visibility dashboards of ...continue reading
The vRealize Operations Service Discovery MP automatically discovers services running on VMs, as well as the relationships and interdependencies ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.