API Security: CPaaS Data Breaches and Endpoint Security

With the rise of API integration platforms like MuleSoft and communications platform-as-a-service (CPaaS) APIs such as Twilio, API security has become a general concern for cloud startups. In addition, because many traditional enterprises are now migrating from on-premises communications to cloud platforms, API security for them has come in sharp relief due to ransomware, phishing, e-commerce, and other endpoint security bête noires.

CPaaS and APIs offer benefits including improved productivity and third-party app integrations, but they also come with endpoint security risks. Before migrating, customers and their MSSP partners need to consider the risks of CPaaS APIs and come up with a plan to protect endpoints from any potential security risks. MSSPs can play a vital role in managing the CPaaS API endpoint security risk for their customers, but first they must answer critical questions about how to:

• Make CPaaS APIs work and what API security and internet and mobile endpoint risks they create
• Protect customer endpoints from API security exploits and CPaaS data breaches
• Implement well-understood endpoint best practices to prevent API security breaches
• Keep voice and video communications safe when API security is a shared responsibility

API Security and Internet and Mobile Endpoints

Developers of the wireless internet and mobile apps often desire communications capabilities that are native to their applications. Prior to CPaaS, these app developers would either have to build their own communications stack, replicating fairly complex software, or redirect a user to a third-party business phone app such as Skype or WhatsApp, according to security experts. They also state that CPaaS allows native integration of communications capability with simple API interactions so that developers can deploy capabilities quickly and customize it to their needs, without sending customers to other applications.

Kudelski Security’s Andrew Howard

“But the APIs are only as secure as the CPaaS platform makes them,” said Andrew Howard, CEO of Kudelski Security, a global security firm. “Typically, a developer would write code to interact with the CPaaS API based on specifications written by the CPaaS platform. It is critical that those specifications follow API security best practices, such as requiring authentication, and that the API implementation actually matches the specification. Developers should demand API security best practices in the CPaaS API, carefully inspect API specifications and implementations for flaws and demand regular security audits of the API by reputable third parties.”

And focusing on Authn/Authz strong authentication as well as transport layer security (TLS), and a good content data network (CDN) to provide web application firewall (WAF) services are key best practices to keeping cloud API and CPaaS implementations secure, according to other security experts.

Ivanti’s Phil Richards

“A strong Authn-Authz authentication model with excellent password strength and multifactor authentication is a must for this environment,” said Phil Richards, CISO, Ivanti, a provider of unified IT solutions. “Additionally, a strong authorization model with multiple roles is critical to granting access based on need and to keep a narrow scope. And using TLS 1.2 with CA-signed certificates is critical for web-facing interfaces, keeping traffic encrypted and guarding against man-in-the-middle attacks. But having an…