There have been quite a few serious security incidents in cloud computing in recent years (see http://www.cloutage.org/ if you really want get in the weeds). Still, so far we have not experienced a “game changer,” a Hindenberg-like moment where nothing will ever be the same. That said, we need to stay starkly aware that the openness of the cloud can make enterprise technology more susceptible to external attacks than ever before. And, when the game changer comes, it won’t come cheap. InformationWeek estimates that IT downtime costs US businesses over $26 billion a year. This fact is one of the reasons that specialist companies that oversee security considerations for APIs and cloud-based servers and databases are held in such high-regard. Savvy business people know that without protection, it’s only a matter of when – not if – private information will be obtained and abused, resulting in a probable lawsuit that would definitely have merit.
Protection Starts in the Beginning
With the plethora of different interfaces that a successful API will come in contact with, such as a JSON based service linking with REST and HTTPs, the opportunities for abuse exist everywhere. It is generally understood that the more user-friendly and easier-to-access the enterprise technology, then the more susceptible it is to a system breach. This means that from the outset, a programmer must be mindful of sensitive company data and all the available methods of accessing this. An API management tool with developer components, such as SOA Software Atmosphere, endows programmers with robust access controls that enables them to authorize access only to chosen parties.
Of course, as a redundant measure, an experienced API programmer can also create directory-protected side scripts holding all sensitive data, and which never makes it to the client’s browser, where it could potentially be manipulated. Of course, this script must still be somewhere on the company’s server, so while it certainly adds a layer of security, it isn’t completely fool-proof. Password-protection should be the standard for any web-based APIs, even to the point of redirecting information from a non-secure port to an SSL port.
Atmosphere Can Mediate Enterprise Technology
For the more sophisticated attacks on an API, Atmosphere can function as a Task Manager application in Windows (except much more powerful), by detecting attacks on the system that manifest themselves by trying to take too great an allocation of system resources. Atmosphere grants the user the ability to restrict how much each App can handle, eliminating a potential whole-system coercion by any one App getting too much traffic and using too much of the available resources. Total control of resource allocation is provided to the API developer, enabling any desired shifting of resources from one App to another to meet changing demands. This, combined with multiple other security measures, secures most Application Program Interfaces quite satisfactorily.
Here are some examples of other multiple redundancies used by developer community software to provide security to enterprise technology, without unduly inhibiting the cross-platform functions that define their usefulness:
- Cryptography, which is simply a digital lock and key system requiring proper certificates, which are scrambled for further security.
- Authentication, to make sure that the only Applications capable of using system resources are the ones that can identify themselves.
- Exchange of Tokens – this isn’t all that different qualitatively from the above methods of security; it is simply a powerful redundant form of authentication requiring Apps that want system access to provide legitimate keys called tokens.
Currently, cloud-based enterprise technology is most widely-used in business-to-business dealings, where the security is perhaps easiest to manage. As this trend spills more into the public arena, the threats faced by APIs will become more pronounced, as anything that has a wider pool of access would. The multiple levels of security and constant improvements made to these by programs such as Atmosphere make the inevitable transition to the public sphere that much more promising.