In 2018, there were 6,500 data breaches reported, exposing billions of records for potential misuse. In today’s digitally connected world, security is almost always top-of-mind for businesses to keep their records are safe and secure. It’s critical for organizations to implement API security best practices to keep their integrations and the data that travels between systems under tight lock and key.
Many businesses and technology providers keep their data and APIs secure through identity and access management. This is the process of making sure that only authorized users have access to certain sets of data, systems, APIs, etc.
Message integrity is just as important as access management. Message integrity is when a message is confirmed to have been sent from a “known” app and that it was not breached while in transit to the API. This guarantees that the private details of a message were not seen.
1. Multi-factor authentication.
One type of access management is multi-factor authentication. Multi-factor authentication is when an app requests a single-use token from the user after it’s already authenticated the user’s credentials. This method recognizes the weakness of username and password credentials alone.
Some ways apps can do this by texting users via an SMS message or having users create digital keys that the app can validate. Only once the app validates the user in two or more ways is the user able to access it.
Another method of securing application and data access is via token-based credentials. The first time a user accesses an Identity Provider with their username/password credentials, a token is issued. From there, rather than having users share their credentials over the network — which can present a security risk — the app only needs to send the token.
Most tokens are issued with an expiration period and can be revoked. Because tokens are uniquely issued to each app, all apps can be accessed individually even if a certain app’s token is revoked or expired.
3. Digital signatures.
One way to ensure message integrity is with digital signatures. You put your signature on everything — whether it be civil, legal, or personal — signatures are used to record the authenticity of a transaction. This concept has gone digital as well.
In this case, an app creates a signature using an algorithm and a secret code. The API applies the same algorithm with a new secret code to produce its own signature, and compares it to the incoming signature. Upon receiving a match, the API will authenticate that the message was sent by a known app, and that it’s maintained its integrity while in transit. This is because only a known app would have produced the same signature and maintained that signature — unlike if it had been tampered with by a third-party.
4. Public-key cryptography.
Another age-old method of ensuring message integrity is cryptography. Public-key cryptography is the method of producing an encryption of a message that’s nearly impossible to decode without a corresponding key.
Cryptography comes in two forms: symmetric and asymmetric. Symmetric is when both the client and the server share the same key to encrypt and decrypt the message. Asymmetric is when the server issues a public key to the client, allowing it to encrypt the message, but keeps a private key that can decrypt the message. Essentially using one key to lock the message and another key to unlock it.
5. Digital certificates.
A digital certificate is a way to facilitate secure transport-level communication between a client and a server over a network so that the server can authenticate itself to the client. This happens because the certificate binds information about the server with information about the business, which owns the server. The certificate is digitally signed by a certificate authority that the client trusts.
For more API security best practices, download our whitepaper.