API Security: CPaaS Data Breaches and Endpoint Security
…updated WAF is very important for web-facing APIs because your ability to patch the CPaaS may not be under your control, but under the control of the provider. A WAF is great insurance for when you cannot manage the patching.”
API Security and Endpoint Security
When it comes to MSSPs protecting customer endpoints from API security exploits and possible CPaaS data breaches, each communication scenario has different risks that need to be addressed, according to Dmitry Sotnikov, vice president of cloud platforms at 42Crunch, an enterprise-grade, full-fledged API security platform. These scenarios include:
- CPaaS invoking your endpoint
- Your application invoking the CPaaS API
- Your application using CPaaS code (e.g., SDK, iframe)
CPaaS invoking your endpoint: According to Sotnikov, make sure that only the expected CPaaS servers can invoke your endpoint with IP whitelisting, mutual TLS and authentication as well as enforce HTTPS and TLS 1.3. In addition, check the integrity of each call by verifying signatures, JSON Web Token (JWT), payload, and parameter formats. Also set rate limiting and use monitoring, log management, and analytics solutions to analyze usage and detect suspicious events.
Application invoking the CPaaS API: Depending on how and where you store the API keys can be very determinative. That’s because these are effectively your passwords, so you should reduce the exposure as much as you can, in the view of Sotnikov.
“Don’t put them in your source code repository or log files, use the protected vaults of the infrastructure that runs your apps, and if the vendor gives you a choice to pick the authentication scheme, go for OAuth/OpenID Connect and user-specific keys,” said Sotnikov.
In addition, he counsels that MSSPs should minimize the amount of sensitive data that they integrate into CPaaS solutions — assume that it can get breached at some point. Therefore, MSSPs should purge historical data as soon as possible and otherwise store the bare minimum of end-user personal information.
Application using CPaaS code: In the API security scenario where the application is using CPaaS code, Sotnikov advises analyzing the extra risks that come with using someone else’s code as part of your app. For example, make sure that only code from expected sources can get into your application as well as only use the minimum level of account permissions necessary to run the code. In addition:
- Always stay fully patched
- Use solutions that notify you of third-party vulnerabilities
- Use monitoring, log management, and analytics solutions to analyze usage and detect suspicious events
API Security and Voice and Video Communications
While CPaaS APIs have given developers tools to integrate real-time communications, such as voice and video communications, into their apps without building interfaces and backend infrastructure, it comes at the cost of decision-making power over API security, according to voice and video communications experts. In this scenario, businesses don’t have full control over the development process and the endpoint security of the CPaaS solution. So, they can only hope that there are no CPaaS data breach vulnerabilities in the APIs provided by the CPaaS…