In an enterprise you can obviously find many front end applications interacting with many back end applications to expose a business service to the end user. The middleware components like IBM Datapower, Message broker and Enterprise Service Bus (ESB) are must to implement a robust Service Oriented Architecture as they support protocol transformation, security mediation, orchestration and many more.
The count of the Application Programming Interface (API) could go beyond 1000 easily; the data that is flowing in these interfaces could again be a mix of below
- Highly Confidential
Note: The data classification ratings of an organization may differ based on their internal policies.
Internal users of the enterprise, among them the technically skilled users are definitely one of the entities that could pose a serious threat by unauthorized access to the data via these API's. An example could be a user downloads a SOAP UI tool and tries to gain unauthorised access to the data by exploring vulnerability in the API. This is a well known risk but the risk impact may differ based on the data the user is able to get access and the Confidentiality, Integrity and Availability (CIA) ratings of the data.
Below are the security controls that should be a part of the solution depending on the CIA ratings of an application data.
Let us pickup a very common solution that addresses the risk and also supports the above security controls that are very much required.
X.509 Certificate based solution supports below though some configurations changes need to be done on components like Application Server, Web Server, Datapower etc...
- Authentication: Certificate based mutual authentication is very much achievable. Consumer and Provider need to have a certificate to participate in the mutual authentication process.
- Authorization: Authorization is the key element where the Consumer's request for an API service (create/update/read/delete) should be checked against the coarse grained authorization policies.
- Encryption: Confidentiality of the data can be addressed using a valid cipher (Cryptographic algorithm)
- Integrity: Hashing can be used to address the Integrity.
Key element for implementation of an effective solution is the applicability of the required control based on a through API risk assessment.
Below are the few important considerations that play an important role in implementation.
- Do you require an application or system specific certificates?
- Do you require a single purpose or a multi-purpose certificate?
- Do you want to perform CRL check on the certificates? Does the enterprise have the required infrastructure to support the same?
- Does the enterprise have a resilient internal PKI infrastructure?
- Does the enterprise have a robust certificate life cycle management process?
- What level of authorization is required?
- What Cryptographic algorithms must be used for encryption and hashing?
- What should be the key length? How should you store the keys securely?