nobeastsofierce - Fotolia
- Dave Shackleford, Voodoo Security
Remember when you didn't need to know code to be a security expert? As Bob Dylan's anthem of change proclaims, "Then you better start swimmin' or you'll sink like a stone/for the times they are a-changin'."
The types of controls security managers used to have, like network security appliances and heavy-handed agents running on endpoints and servers, are dying out as enterprises move workloads into highly virtualized multi-tenant environments. To make things even more complex, IT departments are moving data into software as a service (SaaS) and platform as a service (PaaS) environments as fast as they can and finding that these types of providers may not offer many (if any) native security controls.
A new model for implementing controls is starting to emerge, one that is entirely driven by application programming interfaces that support some form of cloud API security.
Large cloud providers offer native APIs to development and operations teams alike; many can record data and achieve greater security functionality. Amazon Web Services has published a detailed set of APIs for CloudTrail that enables security and DevOps to query events, list users associated with events, start and stop logging and perform additional functions. For security teams looking to build a SecDevOps workflow, integrating these controls into existing orchestration and automation design will require understanding the APIs and how they're being used.
Protection across multiple clouds
System administrators can take advantage of platform-specific cloud APIs and reusable code with help from tools such as Chef and Puppet. These cloud infrastructure automation tools support configuration management and provisioning across dynamic environments. They also enable development and code promotion into platforms like AWS CodeCommit. Security-oriented APIs are available to DevOps teams for security monitoring and management of identity data (via identity as a service), data loss protection (DLP) and encryption, and network monitoring and traffic control.
The use of cloud API security to govern and control functionality has led the Cloud Security Alliance (CSA) to start up a Cloud Security Open API Working Group in an attempt to universalize cloud use and define "protocols and best practices for implementing cloud data security" as a part of a framework for cloud access security brokers (CASBs). The Open API Working Group, which has backing and involvement from organizations like CipherCloud, Deloitte, Infosys, Intel Security and SAP, is focused on developing vendor-neutral guidelines to facilitate the growth of CASBs. The working group's charter is to help enterprises evaluate and integrate with cloud API security via CASBs and other cloud security services, using open standards and definitions that everyone can assess and understand.
Security-as-a-service offerings also make heavy use of APIs. In some cases, this is the only way to integrate with SaaS providers, like Salesforce and Microsoft Office 365, to perform functions related to data protection. Netskope, Skyhigh Networks, Elastica, and other CASBs can monitor data that's sent to cloud provider environments and also provide DLP and policy enforcement actions for usage of cloud services. Without deep API integration, none of this could occur.
Of course, there are also cloud API security risks associated with these environments. In the CSA's Top Threats to Cloud Computing report -- the latest iteration is "The 'Treacherous Twelve' Cloud Computing Threats in 2016" -- one of the biggest risks cited is insecure APIs. Given that APIs are proliferating for provisioning, automation, and orchestration, monitoring, and security functions, there is a need to thoroughly assess these interfaces to ensure data and systems are not exposed or put at risk of compromise. Security professionals should scrutinize APIs for cloud providers as part of the procurement risk assessment process and push for contract language allowing penetration tests and vulnerability assessments. Emphasis should be placed on any API that handles sensitive data and security teams should develop controls to ensure transport security, strong role-based access and authentication, message integrity and validation, and secure development practices whenever possible.
As DevOps tasks become more automated and integrated within cloud environments, they need to understand that cloud API security will grow too and leverage it.
Many security professionals don't have development backgrounds. If you fall into this group, you may not be wholly comfortable with API analysis and security assessment. In order to help secure current and future cloud deployments, you'll need to get up to speed fast by engaging with DevOps teams, and also by learning more about how APIs will be used in both cloud provider and brokering services. With traditional security controls changing or disappearing, there's no better time than now to get a handle on APIs and their role in tomorrow's cloud security architecture.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC, lead faculty at IANS, and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft, as CTO at the Center for Internet Security, and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
A closer look at API gateways and cloud services
Why you need an API-driven strategy for cloud security
How to minimize cloud API risks