Moving to the Cloud? How to Secure APIs on AWS, Azure, and GCP Posted in Security Ilai Bavati May 28, 2020 Cloud migration enables organizations to move their workloads and network components to private or public cloud infrastructure. The connection between on-premises workloads and cloud infrastructure is usually established via the use of APIs. During this process, data is in-transit and highly vulnerable to attacks. In this article, you will learn what cloud migration is, what are the top threats affecting data during the migration process, and critical API best practices for securing AWS, Azure, and GCP APIs. What Is Cloud Migration? Cloud migration is a process in which you move applications, data, and workloads to the cloud. It enables you to outsource the maintenance and management of your infrastructure and can allow you to save on costs while expanding your resources. When migrating, you can move resources to a public cloud, a private cloud, or you can create a hybrid of cloud resources and your on-premises resources. Depending on what infrastructure you choose, there are a variety of strategies and tools you can use to complete your cloud migration. The strategies and tools you use can have a significant impact on your risks and the success of your migration. Top Threats Affecting Cloud Migration Projects When migrating your applications to the cloud, there are several threats you may face in addition to the standard issues, such as downtime. These threats typically arise when you misconfigure your cloud resources or do not apply the appropriate security measures. Insufficient Data Security There are many issues around data security that you can face in the cloud. These include corruption of data during transfer, misconfiguration of access controls, theft following an attack, or even lack of proper deletion. As data moves to the cloud and after it is in the cloud, you typically have less control over it than you would if you retained data on-premises. If you do not implement proper access restrictions, encrypt your data at-rest and in-transit, or monitor data access, you are going to run into problems. Compromised Credentials Compromised credentials are a significant threat to any system but may occur more frequently with cloud deployments. When you use cloud resources, users must log in through web portals. If users aren’t careful, attackers can easily misdirect them to log in to false portals, granting the attacker their credentials. Once an attacker has credentials, they can access any data or applications that the original user can. Also, because they appear to be a “legitimate” user, this activity can be challenging for security teams to detect, effectively granting an attacker open access. Exploitation of APIs Application programming interfaces (APIs) are sets of definitions and protocols that are used to communicate between services and resources. When you set up a cloud environment, you use APIs to request and transfer data and commands. If your APIs are not properly secured, attackers can also use these interfaces to interact with your data and resources. This type of exploitation of vulnerabilities can enable attackers to gain control over resources, modify or steal data, or eavesdrop on communications. Essentially, if an attacker exploits your APIs effectively, they can take advantage of the other two top threats that exist. This is why it’s essential to put a particular focus on API security. Below, you can learn about some of the tools available from the top three cloud providers that can help you with this task. AWS API Security In AWS, there are two main ways to control and secure APIs—API Gateway and identity and access management (IAM). AWS API Gateway AWS API Gateway is a service that enables you to create, maintain, monitor, secure, and publish APIs for your services and applications. In combination with AWS Lambda, it enables you to create and manage a serverless infrastructure that is secure through several mechanisms. API keys: Token strings that you can provide to allow users or developers to connect to your API. These keys identify users and are used to prevent abuse of access. To create keys, you can have API Gateway generate keys for you, or you can import keys. To manage these keys, you can use Lambda authorizers or tie keys to usage plans. Lambda custom authorizers: Functions that you can create to authorize keys, and the access keys grant to your APIs. These functions use a method of bearer token authentication, including OAuth or security assertion markup language (SAML). Alternatively, you can also use methods employing information taken from HTTP headers, query string parameters, or URL paths. AWS IAM An alternative to using API keys is to allow access to APIs through IAM permissions. This method is useful when you want to allow internal access to employees and contractors. To set this up, you need to create an IAM policy that enables API callers to use the method you want to allow. You also need to configure the method in your API to accept an authorizationType of AWS_IAM. Then, you can assign your policy to the appropriate user or user group as needed. Azure API Security When creating APIs in Azure, you are likely to use the Azure API Management (APIM) service. With this service, there are a few different methods you can use to secure your API. Authorization keys: When creating services, you can configure each service to be protected and to require a subscription. This ensures that an authorization key must be received and authenticated with every incoming request. These keys can then be distributed to developers who wish to work with your API and managed through the Developer Portal. From there you can also regenerate keys periodically to ensure security. OAuth and JSON Web Tokens (JWTs): For backend APIs, you can increase security through an Authorization Server (AS). An AS requires that request headers contain a valid JWT or OAuth token. These tokens can be granted to web clients by the AS after a clientID and secret are passed in a token request over HTTPS. Client certificate authentication: If you are using Azure-based Web Apps or API Apps, you have the option of using client certificate authentication. This method uses TLS and a certificate which must be installed on both your app and the APIM service. To authenticate requests, a TLS handshake occurs in which both certificates are verified. Google Cloud API Security In Google Cloud, you can develop and manage APIs using Apigee Edge. This service enables you to abstract your backend APIs with a proxy layer for better security, control, and analytics. In this service, you can use the following methods to increase your API security. OAuth 2.0: Apigee Edge comes integrated with OAuth 2.0 and you can use it to both generate and validate authentication tokens. The benefit of OAuth is that it enables you to authenticate users without providing login credentials to external services. This means you can enable third-party services to connect to your API without fear of exposing user credentials to outsiders. SAML policies: Integrated with Apigee Edge is the ability to authorize and authenticate applications via SAML tokens. These tokens provide digitally-signed, XML-formatted assertions that you can use to verify users. API keys: In Apigee Edge, API keys are known as consumer keys. These keys work the same as any other API key and enable you to authenticate and authorize users accordingly. When using consumer keys, you need to define policies that determine which keys are granted access and to what methods. Conclusion When migrating to the cloud, data becomes vulnerable to attacks. The most common threats affecting this process are typically insufficient data security, compromised credentials, and API exploits. To prevent these threats from turning into breaches, you need to secure cloud APIs properly. Each cloud vendor offers different API security controls. AWS provides two services—API Gateway and AWS IAM—which you can use to establish safe API connections and manage access to data and systems. Azure offers the use of authorization keys, OAuth and JWTs, as well as client certificate authentication. GCP provides OAuth 2.0, SAML policies, and API keys. Each of these capabilities requires configuration, so be sure to check the official documentation. Remember that many vulnerabilities are a direct result of misconfiguration, which can quickly escalate into a breach. If you are new to this process or need to brush up on some skills, consult with experts, and leverage managed services.