5 Approaches to API Security
The goal when implementing API security is to safely ensure the right people and systems have access to the right things to accomplish their task in the shortest time necessary. In this blog we’ll take a quick look at the pros and cons of the 5 approaches to API security described in greater detail within our white paper, API Security from Concepts to Components.
No security — While this isn’t a serious approach to security, it is common. A common misconception is that APIs hidden within an application (in particular in mobile apps) are safe because no one knows about them. When in reality, it takes a developer minutes to discover the API and the data it uses. Any API that is online is at risk.
API keys — Most API access starts with API keys because the required logic is implemented by most frameworks out of the box making them easy and fast to set up. However, API keys are generally used for authentication and offer little to no options for varying permissions according to use case. Further, APIs using API keys rarely have the concept of “rotation” built in so a key issued today is often valid for months or years. There isn’t a simple way to update applications if a key is compromised.
OAuth 2.0 — As opposed to an API key, an OAuth 2.0 token inherently includes ‘scoping’ to enable API designers to create and grant fine grained permissions. An OAuth token is also designed to expire and therefore comes with a refresh process built into the specification. These two aspects alone create a powerful combination where if a key is compromised, it can be revoked and replaced but it may not have dangerous permissions anyway.
API Gateways — API gateways serve as an API ‘firewall’ to protect APIs from malicious data, improper requests, and denial of service attacks. In general, API gateways include simple API key creation and management. A select few go further and offer embedded OAuth servers using simple user profiles. While API gateways are a valuable tool to secure and protect your API’s infrastructure, by using the built-in user management, you get yet another place to store, maintain, and authenticate users with its own set of authorization policies disconnected from your other management systems.
API Gateways + API Access Management — API Access Management allows sign on and authorization policies that limit particular OAuth scopes to specific devices, a specific network, and even group membership. Further, specific scopes can require user consent to ensure the user explicitly authorized access for the application. Most importantly, a security team can manage those policies outside the API gateway while centrally logging access requests, grants, and policy changes.
No API security isn’t a viable option. API keys are a starting point but not enough. An API Gateway and OAuth 2.0 are key ingredients but solve different parts of the problem. By combining these ingredients, we get the benefits of both while gaining a centralized point of control, management, auditing, and monitoring while leveraging existing standards and common tools.
Download the full white paper, API Security from Concepts to Components, to get a more comprehensive overview of the API security landscape from Okta expert Keith Casey.