Minimizing attack surface in an API-enabled, multi-cloud world

The global digital economy is growing ever more competitive and it requires mission-critical applications – a source of differentiation – to be delivered with unprecedented speed, scale, and agility. This has galvanized many IT organizations to not only move applications off-premises to a cloud but also adopt a multi-cloud or “best cloud for the app” strategy. 

However, to deploy and manage a vast portfolio of applications across multiple clouds while ensuring security and performance wherever each app resides, you would need to optimize IT infrastructure and processes.IT optimization in turn drives the use of automation and orchestration systems to help streamline and standardize IT processes across hybrid and multi-cloud environments. 

This is achieved through a widening array of applications services. F5’s annual State of Application Delivery (SOAD) studies have been tracking some 30 distinct application services across five categories: availability, identity and access, performance, security, and mobility. This year, gateway services for IoT, APIs, HTTP/2 and botnet protection were added. 

Organizations are increasingly relying on application programming interfaces (APIs) to facilitate integration, management and optimization of services, simplifying infrastructural expansion across compute, network and storage domains. API-enabled infrastructure makes automation and orchestration possible, scaling IT operations to support cloud-ready applications. In the SOAD 2018 survey, 74% of the respondents consider API-enabled infrastructure somewhat or very important. 

More ways in

The bad news is that cloud connectors and APIs add even more entry points for hackers to an already-expanded attack surface. Exposed APIs or poorly managed API networks on multiple clouds can leave enterprises vulnerable to breaches as they open the floodgate to DoS/DDoS attacks.

APIs are also forcing security and network professionals up the network stack to the application layer, where organizations lack of expertise. Furthermore, it is not uncommon for web applications today to use at least one or more web server add-ons – such as modules, plugins, libraries, frameworks, and extensions – for added functionality. This, too, increases complexity and broadens the attack surface of an application.

The F5 Labs 2018 Application Protection Report, based on a Ponemon security survey of IT professionals, highlighted APIs as enticing targets since they often have administrative capability within the application as well as direct access to valuable data stores.

“Wherever an application accepts data, often by way of an API, it is a potential target for attack,” explained Ray Pompon, principal threat research evangelist with F5 Labs. “Some application owners think that APIs are invisible to attackers since no human is supposed to interact with them directly. However, APIs are easily found by attacker reconnaissance scans and can be attacked by most of the traditional web application attack methods.”

Although APIs serving machine-to-machine interactions are guarded by a unique authentication scheme, many application programmers have unwisely relied on a single password or cryptographic key that is never changed or adequately tracked. In other cases, a single shared secret is used for an entire organization’s API access to the app or the API key is accidentally included in the source code. 

Batten down the hatches

“Because of the unfettered access APIs have to an application and its data, there should be stronger access control in place for APIs than for users,” Pompon urged.

Hence, all exposed pieces – including APIs used to share data with third parties – should be access-controlled, patched and hardened against attack. “Some web application firewalls (WAFs) can perform ‘virtual patching’ by scanning application traffic and blocking known exploit attacks,” suggested Pompon. “They know what to block from automatic signature updates from threat intelligence feeds and vulnerability scans of your environment. This alleviates the time pressure to patch immediately when a new exploit is released, and it gives the operations team time to properly test and roll out fixes.”

To further reduce the attack surface, you should also segregate and partition your applications so that higher priority systems are shielded from any breach of a low-priority application. This can be done in code, with server isolation, sandboxes, lower privileged users, and with the Advanced WAF capabilities in the F5 BIG-IP Cloud Edition.

The F5 Advanced WAF’s automated security policy capabilities and cloud templates enable NetOps, SecOps and DevOps teams to collaborate in support of business priorities. On this front, the WAF’s API protocol security provide tools that secure REST/JSON, XML and GWT APIs supporting programmability and automation.

The aim is to make it less onerous for IT organizations to secure growing attack surfaces created by rapid adoption of APIs. You need robust solutions that protect all cloud networks and manage potential risk factors. Vital components of this security approach include vulnerability testing, API assets consolidation and rigorous authentication mechanisms.The F5 Advanced WAF also encrypts data at the app layer to combat data-extracting malware and keyloggers. 

To protect API access, you can use the BIG-IP Access Policy Manager as an OAuth Client, OAuth Resource Server and OAuth Authorization Server. This paves the way for app development teams to securely deploy services in the data center and multiple cloud environments while having per-app visibility, analytics and controls for management and orchestration. The aim is to better position NetOps to support business priorities in concert with SecOps and DevOps.

Reiterating the need to minimize application functions exposed to untrusted systems and partitioning those functions from the rest of the systems, Pompon said, “Powerful interfaces like APIs and databases often provide full pathways into applications and data. These functions should be access controlled with the least-privilege principle applied.” 

This is a QuestexAsia blog post commissioned by F5 Networks Asia Pacific.