Cloud application programming interfaces allow software developers to create code that interfaces with a cloud provider's services. But while critical to cloud applications, APIs also have an attack surface that can potentially compromise sensitive business data. This means providers and software developers need to prioritize cloud API security.
Sessionless security practices enable better scalability in the cloud
First, tactics like including a username and password in the body of data or in simple object access protocol headers is not secure. Instead, developers should use sessionless security practices such as HTTP authentication, token-based authentication or Web Services Security. Sessionless security also enables better scalability for the cloud service because any server can handle user requests without sharing sessions between them.
Developers should determine whether an API performs secondary security checks, such as verifying the user has appropriate permission to view, edit or delete services and data. Once initial authentication is cleared, developers often overlook secondary security strategies.
Cloud providers and developers should test cloud API security against common threats, such as injection attacks and cross-site forgery. For the cloud service providers creating the APIs, testing is especially critical. However, users should independently verify cloud API security, as it's critical for auditing and compliance.
If encryption keys are part of the access and authentication methodology for API calls, store the keys securely and never code them into a file or script.
Perform API change reporting
While security is a key part of cloud API construction and use, it's also important to consider change logging and reporting features. These features help track user access to cloud resources, as well as data and configuration changes.
A software developer invokes one or more cloud API calls to change cloud-hosted data, launch new compute instances and alter the resources provisioned to a cloud instance. Each of these activities should produce a log trail that developers can conveniently access. Comprehensive logging can be critical for auditing, legal discovery and other compliance issues.
About the author:
Stephen J. Bigelow is the senior technology editor of the Data Center and Virtualization Media Group. He can be reached at [email protected].
Considerations for effective API design
Without standard cloud APIs, what should a cloud developer do?
Picking the right cloud provider API