In January 2017, the UK Government’s Cabinet Office issued guidelines outlining what department heads needed to consider when putting services or data into the public cloud.
Along with its 14 Security Cloud Principles, the guidance confirmed that “it’s possible for public sector organisations to safely put highly personal and sensitive data into the public cloud. Many UK departments have made this decision based on risk management assessments once they have put appropriate safeguards in place”.
Following on from the introduction of the Government’s 2013 Cloud First policy, the issue of these guidelines showed that the movement of UK public data to the cloud is now ‘the new norm’. Although Departments remain free to choose an alternative to the cloud if they wish, they now need to demonstrate that it offers better value for money before they do so.
The end result is that highly sensitive information about all of us (including names, addresses, National Insurance numbers, tax and revenue details, passports, driving licences etc.), is now being stored in data centres operated by major public cloud providers such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform.
The UK Government has spent £19 million with AWS over the past five years alone, the vast majority of which occurred in 2017, with the Home Office leading the way, followed by the Ministry of Justice, HM Revenue and Customs and the Cabinet Office (according to figures compiled by expert data cruncher Dan Harrison).
Ideally the Government would own and manage its own private cloud and associated security, which would be dedicated to entirely its own use, but costs usually make this prohibitive. A public cloud is a way for enterprises to scale their IT resources on demand, without having to maintain as many infrastructure components, applications or development resources in house.
This transfer of so much sensitive data has though led to questions being asked about the security of the public cloud and, in particular, APIs (Application Programming Interface). APIs are everywhere on the internet and act as connectors allowing companies to share selected information with each other.
An API is essentially a software intermediary that allows two applications to talk to each other and make things happen. APIs let applications (and devices) seamlessly connect and communicate. An API can create a seamless flow of data between apps and devices in real time.
ProgrammableWeb, a site that tracks more than 15,500 APIs, lists Google Maps, Twitter, YouTube, Flickr and Amazon Product Advertising as some of the most popular ones. APIs allow you to order pizza, book a hotel room, check the weather forecast, rate a book, or download a song. APIs make the interactivity that we expect on the internet happen – and at a lightning quick speed.
The reason APIs have become the centre point of innovation for the cloud is that they represent a consistent, standards-based means of communicating, and thus allow companies to more easily adopt APIs regardless of the disparate technologies in their architecture.
Since APIs allows simplified connection to applications and services, essentially acting as a door that anyone with the right key can enter, they also present a heightened cybersecurity risk. Most cloud services use API gateways to identify and verify users, and to act as the single-entry point into the service so, of course, this is the main focus of attack for most hackers. As APIs are connectors to the cloud, they are a veritable ‘all-you-can-eat buffet’ for hackers who seek to compromise APIs to gain access to sensitive data for fraud, theft or even blackmail.
API security by design
If the API gateway is not secure by design, then the overall API architecture will always be one step behind, trying to discover and patch the weaknesses before the hacker can find and exploit them. The only way to truly protect the data held in a public cloud is to embed secure API gateways within the cloud itself, technology which is specifically known as an “API Security Gateways”. While API developers have an ethical, and sometimes legal, responsibility to prevent the misuse and abuse of their APIs, it is impossible to rely entirely on developers to stay ahead of the hacking curve and thus security technology is essential to achieving API security.
Building a 100 per cent secure API security gateway requires fundamental product architecture principles such as a locked down and secure operating system, self-integrity health checks to detect compromise, and independent security certifications to ensure that the product architecture is indeed secure.
API security gateways provide three layers of protection:
- Centralised identity management to validate the identity of users interacting with the API. This includes multi-context and multi-factor authentication to ensure the correct users and the correct user behaviour of the APIs.
- Real-time monitoring and security enforcement to proactively monitor and protect API traffic. Proactive monitoring and enforcement includes deep-content inspection, bi-directional information assurance, and embedded antivirus and PKI cryptography.
- Seamless cloud integration with legacy and modern architecture. The security gateway is a silent and seamless component, but essential to enabling modernisation of legacy technologies and connecting cloud services securely.
API Security Gateways protect the data, application and user because they protect traffic at the point at which it enters and leaves the organisation's data boundaries (which may be within the cloud itself, or across the cloud boundaries).
API security should never be left entirely to the cloud provider or the API developer, because it is not their area of expertise. Think of cloud services like booking a hotel room. You get the room and all the amenities from the hotel, along with a room key. However, once inside the room, you have your own safe and key to protect your assets. You might even put a rubber wedge under the door to help stop it being opened or fix a portable motion detector alarm for when you’re asleep.
This is akin to API security; you can rely up to a point on the cloud provider, but should never give up the keys to the safe.
Jason Macy, Chief Technical Officer, Forum Systems
Image Credit: Melpomene / Shutterstock