Tip:
Highlight text to annotate it
X
Hello.
Welcome back to Movie Line Monday.
This is Krishna.
And the movie line today is from The Italian Job.
"I trust everyone.
It's the devil inside them I don't trust. "
The topic I'm going to talk about today is APIs,
and the importance of APIs and the security aspects of APIs.
So what is an API?
If you look up the acronym there are many different ways
in which APIs are defined.
It could be advanced performance index.
It could be advanced passenger information.
But the one we are going to talk about today
is application programming interface
which is what APIs, that we are going to talk about today,
are all about.
The history of APIs goes back to when
computing languages were developed.
APIs are pretty much a way in which
large teams work together.
Where one team provided an API that another team consumed.
And they go off and work separately.
And when they integrate, as long as the APIs were defined
correctly and the consumers used them correctly,
everything worked fine.
Now APIs have evolved over time.
With the advent of the ecommerce and the web technologies,
APIs started gaining prominence and became even more prominent
with social and mobile technologies.
With a lot of mobile devices and social networking applications
available, APIs have become an integral part
of all applications today.
Any application, be it consumer applications or even enterprise
applications, depend on APIs.
So there's a whole track of businesses
that cater to developers by providing APIs
to various types of services.
Now while that is good and provides a rich user
experience, because you have all types of data
that are integrated into applications,
it has a lot of security risks associated with it.
And what I'm going to talk about today is some of those risks.
But before we get to the security aspects,
let's do an anatomy of how an API works.
When I talk about APIs there are different types of APIs.
So you might have heard of things
like SOAP APIs, REST APIs, or RESTFUL APIs.
They're a very rudimentary form of APIs
that are encoded in forms.
Pretty much all traffic today that
is relevant in the internet is all going over HTTP
and most often encrypted over SSL.
Now these are typically the types of APIs
that you would see.
Now when you look at APIs there are
two actors to this phenomenon.
One is what I call the API consumers.
And these are when applications are running.
So you have things like laptops, tablets, and mobile forms,
right.
And they could be anywhere.
The laptops or the mobile phones,
they could be in campuses where people
are doing their day to day work.
They could be at home and people are working remotely.
Or even in a coffee shop where people are checking on things
while they're sipping their favorite coffee.
So they are the consumers.
Now consumers are then trying to get data
from service providers.
So service providers are the ones
that are providing the data to the consumers.
So there are two types of data movement.
Before we get there, the types of service providers,
I've just given some examples here.
You have examples like maps.
If you want to embellish an application by providing
a map of where a user is or where some data is,
you can go to a maps service provider using an API
and get data and map it on the end device.
Similarly a lot of applications use analytics.
They want to keep track of who is using the application.
So that's another example of an API.
Then there are places where you may want to store things.
Like you write a note and you want to store it.
There are storage service providers
where you can go and store data, right.
Now the service providers are not standing by themselves.
Many service providers in turn have a partner ecosystem
where they get more data to provide to the end user.
The end user is not aware of the partner ecosystem.
But indirectly the data that is provided to the consumer
comes from other partners that are associated with the service
providers.
OK.
Now those are the actors in this API play.
Now where does the data actually move?
So you have cases where, let's say
an application is requesting data from a maps application,
right.
And here the data is actually flowing
in the user's direction.
So this is where the data is coming.
The information that was requested by the application
is provided back from the service provider.
But there are other applications,
like the storage case, where data
is flowing to the service provider.
So you're moving, let's say, a file.
This is now moving in this direction
from the application towards the service provider, which
may later on at some other point in time
be accessed on the other direction.
So the importance here is APIs are not one way.
It's a two way street.
You could have service providers that consume data
and you can have service providers
that provide data, right.
So what are the security implications of this situation?
So let's take each one separately.
Let's take the case where the service
provider is providing data.
Now when data comes to the end device
you want to make sure that data is the intended data
that you're looking for.
If for some reason this data has been infiltrated
and you have things like malware embedded,
then they can take over the laptop.
And you may be going to a reputable service provider.
But because of the fact that the service provider in turn
depends on a partner ecosystem, there
are ways in which this partner could
get infected with some kind of a virus.
And that could then infiltrate back to the end device, right.
So that's one way in which, even though you're
going to a reputable system, bad data
can come to the end system.
Now let's take the other case where you're pushing data
to a storage service provider.
In this case this data-- it's important as
to what is in that file or what is the data itself.
It could be sensitive data that is
very important to your business.
It could be intellectual property.
It could be PII or PCI type of information
that puts your compliance at risk.
So again, what data is going to the storage
is something that is of importance
and should be inspected.
So if you look at enterprises and the way in which they're
adopting applications that are in turn depending on APIs,
it becomes very clear that you need some form of entity that
is doing an API level inspection to determine
that these devices are not being compromised.
Importing enterprise data is not being sent over to the service
provider and could be compromised, right.
So it's very important that you have some form of inspection
that does this at the API level.
And once you do the API level inspection
you can identify the flow of data.
Is the data flowing from the service provider
to the client, in which case you want
to have a bunch of security services
that are able to inspect the data for malware, for viruses,
and any other type of infection that
could infect the end system.
Because once an end system can get infected,
depending on the type of infection,
it could then lead to some form of APT
type of attacks that affect other systems that
come on to the same network.
So it's very important that some form of security protection
is provided for the data that flows here.
Similarly for data that flows from the endpoints
to the service provider, you want
to be able to do inspections as to what the data file contains.
Does this contain PII data, for example.
Run it through some form of DLP in this inspection security
system.
And if so have the capability to block that file from going.
Because as I said, if you do not know what is in this data
and if it indeed contains sensitive data like PII data,
it puts your compliance at risk.
So it's very important that some form of API inspection
and policy enforcement and security services
be performed on applications that use APIs.
And as I said at the beginning of my talk,
APIs are everywhere.
They're becoming ubiquitous.
Every application in the enterprise
is going to depend on APIs more and more.
There's a whole economy depending on them.
That's all for today's Movie Line.
Until next time.
Thank you.
Bye bye.