At Guardtime, we have some of the world’s top PKI vulnerability experts who have repeatedly shown how easy it is to compromise certificate based security solutions. It is almost impossible to address and mitigate fundamental flaws in the trust anchors and distribution mechanisms with PKI-based architectures. Your network will be compromised and you will not know about it until it is too late and the API initiated breach makes the headlines.
There is an answer – real-time integrity instrumentation of your network via attributed networks allows you to assume your network has been compromised and mitigate attacks in real-time. But first more on the problem.
For years, security professionals have focused on security models and reporting systems that rely on log files and audits generated by the myriad of security sensors, appliances, and connectors. These systems largely ignore operational sources of data and their associated dependencies, as well as associated API service layers that enable those sources to interact between mobile, enterprise, web, and cloud applications.
The new security challenges of APIs and operational data stores are being addressed by the industry by using API authentication technologies. According to a recent report, Forrester predicts that in 2014, “mobile and cloud adoption will continue to drive identity and access management (IAM) toward application programming interface (API) management.”
The API industry is moving in the wrong direction to address the (in)security of APIs given the velocity and dynamic nature of their delivery and instantiation from/to API service vendors. IAM solutions (like those from CA, APIGEE, and others) are focusing on extremely complicated (and costly) cryptographic key management and identity management solutions that do not work at a scale and instead relying on traditional PKI trust anchors, which have been proven time and time again to be vulnerable. Consider the consequences of API service layer exposure for transaction-based services:
In 2013 alone, account details, files, credentials, and/or billing information belonging to over 100 million sharing, social networking and online shopping cloud service users were illegally accessed via data breaches and [API] service layer exploitation.
- Report: FCC TAC Communications Infrastructure Working Group.
These are old ideas with the same mantra, ‘trust us with the secrets and distribution of those secrets for API authentication’.
Why is the security industry pushing PKI for APIs? It’s good business for them and those managing the credentials and Certificate Authorities. Their ROI is significant. However, this is in fact a poor practice for those wanting to secure the API service layer.
Consider the following analysis by the Cloud Security Alliance on the new ‘API economy’.
“However, with the recent shift to an API economy for these platforms, the integrity of the APIs that are produced and consumed is now more important than ever. Security and availability of cloud resources is dependent upon the security of these basic APIs and their related ‘access, authentication, encryption, and activities’. In short, these APIs must be designed to protect against, “accidental and malicious attempts to circumvent policy”.
- The Notorious Nine: Cloud Computing Top Threats, Cloud Security Alliance
Back to the solution. Guardtime’s Keyless Signature Infrastructure (KSI) can be used to sign and authenticate API packages with proof of time, authenticity and identity. We consider this part of our overall Attributed Networks Solutions or ANS.
Our solution doesn’t rely on cryptographic secrets and API packages can be independently verified in real time without relying on the service provider or using a complicated PKI Certificate Authority and Revocation architecture. KSI proof can be provided back to the hosting service, developer, or subscriber in real-time; with continuous monitoring of those APIs and associated dependencies to ensure that the integrity of even outsourced API service layers can be verified independent of the service provider.
Why is this important? Administrators and attackers are prevented from covering their tracks if they attempt to modify an API. Shawn Henry, FBI veteran of 24 years and now President of CrowdStrike Services had this to say about integrity: “These days, you can’t just protect the information from being viewed, you also need to protect it from being changed or modified.” This leads to the question: Would you know if an attacker or your own system administrator got to your data?
Our API integrity and verification solutions offer the following benefits:
- Portability of evidence. Guardtime signing of APIs and associated dependencies can be validated independent of trusting traditional PKI certificate trust anchors like PKI Certificate and Verification Authorities.
- Massive scale API and dependency authentication with the benefits of real-time verification to support real-time incident response, sandboxing, and protection of consumer records.
- Forensic auditability. Complete chain of custody information is available via KSI evidence and our GuardVision API reporting solutions. GuardVision collects API service integrity evidence and associated dependency transformations. Tag, track, and locate who is responsible for what changes in the API service layer. When, where, and by who.
- Report generation, security correlation, and visualization. Integrate and transform KSI intelligence into your SIEM/SEM environment or use our advanced data mining capabilities to report, and respond. Inspect, verify, schedule, and respond to API service compromises.
Data is the new perimeter
Many experts have come to the conclusion that all networks will eventually be compromised; indeed at Guardtime we ASSUME a network has been or will be compromised and that there will always be code flaws and implementation specific vulnerabilities. So then, the focus of security should be on the data, not the perimeter. Therefore, what is required is an API data-centric focus on security.
Donald Rumsfeld famously compared the difference between ‘known unknowns and unknown unknowns’. KSI allows you to convert one unknown: 'Is my security working?' to a known: 'I have proof that my applications and data have not been compromised and that proof is independent from the people operating those systems.'