Warakorn - Fotolia

How do APIs work, and how can you ensure they are secure?

Understanding how APIs work and how they are used is essential when formulating security policies. Our expert outlines four steps to set up a first line of defense.

Companies looking to access information through APIs need a game plan for how they intend to protect that information. Understanding how APIs work and having a set of security policies around them is integral to internal security and stability.

APIs are likely to be used to perform several actions that fall under the categories of retrieving data; modifying, updating, deleting and adding data; and invoking an action to take place. Understanding how APIs work and how they are used helps to create strong security policies. Here are four ways APIs are used and how to ensure security.

1. Authorization

Access to information through an API needs to be granted and authorized. Users and applications that need access to data should be able to do so by first authenticating themselves with the service in question. Different users and applications should be identified and authorized separately, allowing for granular access to the data.

For example, while some users may have access to all actions in the system, such as adding, deleting and updating, other users may only have access to retrieve or add new records. The level of access each user or application has to various object classes of information needs to be managed and maintained, so users can't access more information than they need.

This type of varied authorization is usually achieved by defining different roles and assigning them to users. Each role provides different access rights to its user.

2. Audit trail

Another important element in securing how APIs work is an audit trail, which is a way to track who accessed information and when it was accessed. Because users are separately and uniquely identified when accessing APIs, these calls, as well as their return status, need to be logged as an audit trail.

Audit trails can be used to understand how the data is accessed and if any nefarious activity has taken place. The trail will also lead back to the user who initiated the access.

Three basic types of APIs chart

3. Data at rest and data in motion

The data accessed through the API is best stored in an encrypted format. Encryption is especially important if that data includes personally identifiable information or any other sensitive data. All passwords should be salted and hashed and never stored in the clear.

Calling, or executing, the APIs means that data is in motion and information is obtained through the APIs. While all APIs in this day and age should be called via encrypted HTTPS or secure web sockets, this is doubly true for information retrieval via APIs. It is necessary in order to thwart any unauthorized users sniffing on the traffic from the API to its intended consumer.

4. Rate limiting

A user should be allowed to access information through the API up to a given rate. This reduces the risk of a user abusing their access or having their identity hijacked and abused, which could create a larger data breach.

For example, a user may connect to an API to validate new users. But if the user is executing your API at a rate of 1,000 calls per second, it could mean the API is being abused to harvest data. In this case, it would make sense to limit the user's API access to one call per second.

As with other security measures, rate limiting can be granular and cover different users and roles. Different rate limits can be set for different API calls.

Other authorization policies can limit access by geography, a user's exact location or specific security certifications. It's prudent to monitor the access of information. Suspicious behavior can indicate potential abuse or data breaches.

Next Steps

Amid explosive growth, API security a growing concern

A quick breakdown of Postman vs. Insomnia

Dig Deeper on Collaboration and communication security