What’s the best way to secure traffic to the cloud? It’s a question I get asked regularly by CEOs and technical founders of cloud startups. A typical observation: "First it was TCP. Then HTTP became the new TCP. Now APIs are the new HTTP."
To be sure, today’s choices are confusing when it comes to security, cloud, and application programming interfaces (APIs). But, at the risk of making cloud security even more complicated, I’d argue that the most secure way to manage traffic to the cloud is to take an "API-first" approach when building a new app.
If you think about it, this is a pretty straightforward concept. Any interaction between a datacenter component (or any component for that matter) can be thought of as an API -- a web server talking to a database server, a web server's REST APIs talking to an API a client is using, or even a DNS protocol talking to the authoritative DNS server you’re hosting.
From a security angle, pretty much any attack must happen over APIs, whether you’re talking about a database server compromised by a SQL injection attack, or a web server breached through a crafted REST request, or a DNS server DDoS'd by a concerted attack using the DNS protocol. If you don't know what those paths to interaction are, you will either underestimate or overestimate the threat. If you underestimate, you are wide open for an attack, and if you overestimate, you will just add more complexity to your security infrastructure, which can be both risky and costly.
To address this dilemma, I suggest three steps:
Step No. 1: Minimize the number of API end-points. This step will make securing end-points tractable in the long run. You will first need to identify and tabulate each API. Sometimes you can "normalize" end-points, which achieves the same goal of reducing them. For example, if a farm of web servers exposes the same REST API, you know they can all be secured the same way. Or, if a web server is exposed in REST API end-points that support the GET method, it’s easy to use a custom web application firewall to make sure that a POST call never gets through. In fact, whenever I hear a developer say, "That’s easy. We’ll just expose another API," the hair on the back of my neck starts to stand up!
It’s also important to keep in mind the security consequences of the end-points you’re exposing. Work closely with your network architect to make sure they’re indeed protectable. For example, using a syslog port to get data from a customer is a big no-no because, practically speaking, if you expose port 53 to the Internet, it is (practically) impossible to authenticate a sender.
Step No. 2: Isolate components with clearly defined APIs between them. Why is this important? Once APIs are defined, the threat surface is easier to define and protect. You could even go so far as to isolate at the network or OS level. This means separating VMs or containers to make sure all resources are isolated, VLANs to make sure other hosts are not discoverable, and firewall filters to make sure only expected traffic flows between hosts. And now for your "do not try this at home disclaimer:" Attempt the latter two only if you really know what you’re doing, as they can quickly become an operational nightmare.
Step No. 3: Come up with a security strategy at the application level first. Then, for each exposed API end-point, add network security infrastructure as needed. At one extreme, you can choose just to protect the Internet-facing APIs, which allows ease of ongoing operations. At the other, choose to isolate all components and protect all APIs. This allows resiliency of the security infrastructure; if one server is compromised, the attacker cannot immediately get access to all of the other hosts. S/he has to find another vulnerability in one of the exposed APIs before taking over another connected server.
I’m not saying this approach is foolproof, but it certainly would require more than a credit card and Internet connection to get the number of zero-day vulnerabilities needed to break in and carry out the attack unnoticed. While the latter (protecting all APIs) is preferred, it's not very practical in many scenarios as it can create operational headaches as well as impact the scalability of the security infrastructure itself.
The hardest part of all of this will be to come up with scaling strategies for the protection mechanisms themselves. But it’s the lesser of two evils and a much more manageable problem than having to repurpose existing infrastructure.
Now it’s your turn. What would you add to this list for protecting APIs? And what are your favorite strategies for scaling security?