API Security Best Practices for Cloud vs. On-Premise Environments Back in December of 2021, Twitter (or X nowadays) suffered its biggest data breach in history. One of its APIs allowed malicious actors to submit email addresses or phone numbers on the platform and get back their associated Twitter handles. With this method known as “scraping,” millions of Twitter users’ information was breached—even for anonymous users. And all of it because of a security flaw from 2019. Moral of the story: Twitter’s breach is a reminder of why API security best practices are critical to maintain company operations. Still, the 2024 State of API Security report by Salt Security, reports that an overwhelming 95% of organizations struggle with API security issues. And the main reason is—you guessed it—companies don’t spend enough time fleshing out security requirements or documenting their APIs. In this article, you’ll learn: Common API security vulnerabilities and risks API security best practices (for on-premise and cloud environments) The impact of emerging technologies on API security How to secure your API (a checklist) Instead of wondering “is this another breach?,” you’ll have a clear plan in place to move forward. What is API security? API security is the practice of preventing or mitigating attacks, like data breaches and unauthorized access, on APIs. Not to be confused with app security, which is more like fixing bugs within the app. API security is about validating input data before it’s processed. APIs are important components of modern applications. They act as a bridge between different software to exchange data or provide new functionalities. But it’s precisely this exchange of data that makes them vulnerable to the following attacks. API security risks and vulnerabilities Risk/VulnerabilityDescriptionExampleBroken Object Level Authorization (BOLA)The API doesn’t enforce access control in objects like user profile records or documents.If an API request includes a user ID (the object) in the URL, malicious actors could replace it with another ID to access another user’s data.Data ExposureWhen responding to a request, the API returns more information than necessary.When an API designed to return user profiles includes additional information like passwords or SSNs.Improper Data EncryptionUsing outdated or weak encryption mechanisms to encrypt sensitive data can make it easier for malicious actors to decrypt it.Storing passwords with outdated hash algorithms like MD5 which allows attackers to crack them using collision attacks and gaining access. Security MisconfigurationsWhen an API uses default settings or lacks security best practices, malicious actors can exploit vulnerabilities to gain access.An API endpoint (meant to be private) is publicly accessible because of a misconfiguration. Our Twitter example from before.Denial of Service (DoS)An attacker overwhelms your API with requests. This makes the API slow or unresponsive to other users and gives attackers the chance to inject malicious code.A malicious actor sends thousands of requests per second to an API to exhaust its bandwidth.Server-Side Request Forgery (SSRF)An attacker submits a crafted URL into the server to trick it into giving them access to internal services (e.g., databases, cloud metadata services)An attacker exploits an API endpoint that retrieves user data with a URL that points to an internal service, allowing them access to sensitive information.Injection AttacksOccurs when an attacker inserts malicious code in an API input to take control of the server or steal data. An attacker might type a simple SQL script on a login field. Then the server could execute this as a database query without requiring authentication, giving access to sensitive information. 8 API security best practices The API security standards you use can vary according to their environment, whether that is on-premise or cloud. This distinction is important because of two factors: control and infrastructure. In on-premise environments, organizations have full control over both the infrastructure and API security. But in cloud environments, you share the infrastructure security with the cloud provider, and the API security and its data are completely up to you. In the following sections, you’ll learn about API protection best practices for both on-premise and cloud environments. 1. Authentication techniques Cloud: When your API lives on the internet, multiple (and often different) users and services are going to access it. Meaning, your solutions must be scalable and flexible to secure access. Here are some solutions for cloud environments: OAuth 2.0: Your users can authorize third-party applications to access their data without exposing their credentials. Ideal for multi-tenant SaaS applications as it prevents the theft of credentials on a large scale JWTs (JSON Web Tokens): Your server generates a JWT when a user logs in. This JWT contains their information and signs it with a secret key, including it in every subsequent API request. Ideal for authentication across microservices API Keys: When a service wants to access an API, it includes an API key in its request. Then, the API server checks the key to check if the request comes from an authorized source. Ideal for machine-to-machine communication (like server and cloud) On-premise: In the intranet, your authentication techniques need to match your management systems. To ensure secure access within this controlled environment you can use: Kerberos: Provides your organization with secure Single Sign-On (SSO) using secret-key cryptography to authenticate devices. Ideal for multiple services and applications that share authentication LDAP (Lightweight Directory Access Protocol): Your users’ information is stored in a directory service. When someone tries to log in, the application compares the credentials with the information stored in LDAP. Ideal for general on-premise systems NTLM (Windows NT LAN Manager): In Windows, when a computer tries to access a file in the network, NTLM checks the user’s identity with a challenge-response mechanism. Ideal for encrypted channels to protect from man-in-the-middle attacks Authorization vs Authentication.💡These terms are often used interchangeably. However, authentication is for verifying the identity of a user. While authorization determines what a user can do (generally after authentication.) For example, when a user logs into an app using their Google account, OAuth is handling the authorization. But it feels like authentication to the user. 2. Data encryption strategies Cloud: In cloud environments, your data is transmitted over public networks. Malicious actors can try and steal sensitive data during transmission, which is why it’s important to have proper encryption methods like: TLS/SSL: Encrypts the communication channel between clients and servers. Protects your data against eavesdropping and man-in-the-middle attacks End-to-end encryption: It encrypts your data before transmitting it and it can only be decrypted by the recipient. Even if the cloud is compromised, it protects your data until it reaches the recipient Cloud Key Management Services (KMS): As encryption processes require a key, KMS allows you to change and manage them securely. Ideal for encryption in large-scale databases On-premise: For on-premise environments, your data is transmitted over internal networks. However, it’s important you secure your data against internal threats with: Encryption at rest: Any disk drive (hard drive or SSD) is encrypted and can only be decrypted using the right key. Ideal to protect physical assets like laptops and flash drives Encryption in transit: It encrypts data as it is transmitted over the internal network. Ideal for an environment with multiple departments Hardware Security Modules (HSM): HSM are physical devices that store encryption keys for when an API needs them. However, keys cannot be extracted which makes this method perfect for banking 3. Effective monitoring and logging Cloud: Due to their scalability with other systems, cloud environments need monitoring tools that can handle distributed systems. Here are some solutions to ensure detection and response to security incidents: AWS CloudWatch: For AWS resources and applications. CloudWatch can help you detect and prevent potential threats with alerts and automated responses Azure Monitor: For Azure services. Azure Monitor helps you mitigate risks by identifying unusual patterns Google Cloud Operations: For Google Cloud services. This one can integrate with other incident management tools while also providing monitoring and logging features On-premise: Because of their internal infrastructure, on-premise environments need monitoring and logging solutions customized to the specific needs of their internal network. Here are some solutions: Splunk: It analyzes logs from multiple sources. Splunk also provides the real-time visibility and alerts you need which helps with forensic analysis ELK (Elasticsearch, Logstash, Kibana): This one is an open-source toolset for centralized logging and monitoring. It’s ideal for custom security dashboards because of its detailed search and visualization of security events Nagios: It monitors your network, systems, and applications. Besides providing alerts on performance issues, it also supports custom plugins 4. Rate limiting and throttling techniques Cloud: APIs can face unpredictable high traffic volumes in cloud environments. That’s why you need rate-limiting throttling techniques, to prevent abuse by malicious actors and make sure they’re available. Here are some solutions: API Gateway Settings: With cloud-native API gateways (like AWS API gateway), you can set rate limits on API calls. This protects your API from DoS attacks Usage Plans: You can allocate specific usage quotas for different user tiers. This protects your API of resource exhaustion from free users On-premise: In on-premise environments, traffic is more predictable. The focus in this case should be to use rate limiting and throttling solutions to allocate internal resources so your systems deliver consistently. Here are some solutions: Server-side throttling: Here you implement throttling on the server to avoid overload by controlling the number of requests processed at any given time Network-level controls: You can enforce rate limiting with firewalls or load balancers. This protects your infrastructure from traffic spikes and DoS 5. Securing API gateways Cloud: In the cloud, API gateways are critical for API security and management. They’re the entry point for external traffic. Meaning, you must be able to balance accessibility and security. Here are some ways to do it: AWS API Gateway: It ensures that only legitimate traffic reaches your APIs with security features like WAF (Web Application Firewall) and DDoS protection Azure API Management: You have control over who accesses your services thanks to OAuth 2.0 and IP whitelisting features On-premise: In on-premise environments, API gateways manage internal traffic and external access. In this case, you need custom security configurations that integrate with your security policies. Here are some solutions: Apigee Edge: It includes authentication, rate limiting, and data encryption. Perfect to manage APIs with security policies in on-premise deployments Kong: An open-source API gateway that secures your API communications (enterprise). It offers plugging for JWT authentication and mutual TLS Tyk: Another open-source API gateway for internal API traffic and external connections. It provides access control, IP whitelisting, and monitoring 6. Conducting regular security audits Cloud: As you scale your cloud environments, you’ll need to keep up with the changes in your infrastructure. New vulnerabilities may emerge which is why it’s important to conduct regular security audits. Here’s what you can do: Automated Vulnerability Scans: Tools like AWS Inspector can automatically scan your cloud resources to find any vulnerabilities Compliance Checks: You can assess the compliance of your cloud environment with industry standards like GDPR or HIPPA using Azure Security Center On-premise: On the other hand, on-premise environments need manual security audits such as: Manual Penetration Testing: Use real-world attacks on your APIs to test your security and check for potential vulnerabilities in your on-premise systems Regular Software Updates: All your software, including security tools, applications, and operating systems should be updated regularly to prevent attackers from exploiting known vulnerabilities How often should I perform security testing on my APIs? 💡Quarterly or monthly for sensitive dataAnnually with penetration testingAfter significant changes and during development 7. Incident response planning Cloud: In cloud environments, incident response planning should be automated and scalable to minimize downtime. Here are some ways to achieve this: Automated Responses: Tools like AWS Lambda or Azure Logic Apps will allow you to automatically isolate affected resources with incident response playbooks and mitigate attacks Disaster Recovery: In the event of a breach or outage, you can use AWS Backup for disaster recovery On-premise: Incident response planning in on-premise environments is a manual effort that requires coordination across teams. Here are some solutions: Backup and Restore Procedures: It’s critical for your business to get regular backups of sensitive data. In case of a security incident, your backups will ensure you can resume operations Forensic Analysis: This method ensures you understand the root cause of security incidents so you can prevent future occurrences 8. Training and awareness programs Cloud: In cloud environments, the security of your API is a shared responsibility between you and the cloud provider. You may not be able to manage the cloud provider processes but what you can do is clearly state who’s responsible for specific segments. And so there’s no confusion over what each party should be doing during an attack. Generally, cloud providers are in charge of the infrastructure and platform security (eg., data centers, physical hardware, network, and storage.) While your organization is responsible for your API, data, and application security (eg., authentication, encryption, access controls, misconfigurations, etc.) On-premise: Here you have control over all security layers—software and hardware. This can be advantageous in the sense that you have more flexibility when implementing solutions or acting faster. However, it also means that if things go wrong it’s entirely your fault. To avoid that, you can promote role-based security training. Since IT staff are responsible for hardware, they can get training in secure server management. On the other hand, developers could focus on secure coding practices (or all of the other tools and techniques we’ve provided so far!) What tips are effective for educating and training teams on API security? 💡Implements role-based training Have clear API documentationSimulate attacks with real-world scenariosProvide a sandbox in which your team can practice implementing best practices for API security The impact of emerging technologies on API security So, what does the future of API security look like with new technologies like AI and IoT? When someone mentions API security, you instinctively think about applications. The thing is, with AI and IoT rising in the technology space, it’s worth mentioning their API security aspects too. Here’s a breakdown. API security and IoT: If there’s something you should know about IoT devices is that they have many vulnerabilities. The ease of syncing all of your devices, means you have to secure all the entry points … in each device. Even the ones with limited computing power. With each device you connect, the surface of attack becomes bigger. A fragmented ecosystem with IoT devices is difficult to protect. However, when APIs are properly secured, your data isn’t at such high risk. API security and AI: AI is a double-edged sword in the API security space. On one hand, AI can analyze API traffic in real time and detect anomalies to mitigate threats automatically. This not only reduces the time it takes you to figure out what’s wrong and then act but also prevents the escalation of incidents. On the other hand, attackers can use AI to create more sophisticated attacks. For example, attackers can use AI to adjust the timing, volume, and patterns of requests sent to servers. If there are any rate-limiting techniques, AI can switch its IP addresses to continue the attack. How to secure API with ReadMe Besides using any of the techniques you read before, here’s an API security best practices checklist you can use with ReadMe’s developer portals: Centralized hub for security information: Use ReadMe’s developer portal to centralize your security-related documentation Pre-built security templates: Whenever a developer starts a new project, include a template with API security best practices that can act as a foundation Centralized incident response planning: Use automated alert features to report security incidents. This notifies developers (on the API provider side) allowing for short response times when it comes to incidents API version control: Use the portal to communicate in regards to API versioning. Developers will be aware of deprecated endpoints and the security updates needed Authentication and authorization: Offer guides within the portal to set up authentication and authorization. This reduces the likelihood of misconfigurations Role-based access: Use role-based access control within the portal to restrict access to sensitive documentation based on the user’s role And of course, have a culture of continuous learning. You can include learning modules on your developer portal so developers are more knowledgeable when it comes to designing a secure API. Keep your APIs safe No API is perfectly safe. There’s no “set it and forget it” system you can implement here. Securing your APIs is an ongoing process in which, as attackers come up with new methods to try and get your data, you have to learn and improve your security measures. By applying these API security requirements, you may be ahead of 95% of companies. However, remember to stay informed about emerging vulnerabilities.