The 12/13 Virtualization Security Podcast featured George Reese, CTO on enStratus, as our guest panelist. We discussed Cloud API security or more to the point the lack of real cloud API security. To paraphrase George: Some got it, others do not. So what makes up a good cloud API? how can we fix broken cloud APIs?
There is a massive proliferation of APIs developed to ‘get the job done’ within the would of cloud computing and virtualization. However, when you start to discuss security of those APIs you run into shrugged shoulders or the developers say to run within an SSL tunnel. However, this SSL tunnel should be end to end and it is usually just a segment of a VPN perhaps. In either case, we have a nightmare brewing with respect to Cloud based APIs. Here are some questions that came up and offer interesting insight into this growing problem. APIs are the attack points into the cloud.
So what makes a good API?
- One that can authenticate over a non-encrypted tunnel without passing clear text usernames and passwords: Use of API Keys work quite well
- One that self-encrypts all the important bits or a request such as commands to run
Why not just use SSL?
- SSL requires good certificate hygiene, we have been trained to just Ignore malformed requests
- There are at least 5 attacks against SSL propagated by improper use and configuration of SSL
- People program to the lowest common denominator (the web browser) instead of practicing good SSL hygiene
- The SSL Tunnel may not stretch from the program through to the application server. It needs to be end to end not just a segment of the pipe
So who does it well?
- Amazon does as do a few others, but they have had years to perfect the method, it did not start secure
- Also check out Dasein-Cloud API
So who does it poorly?
- No real answer, but most APIs are horribly in secure. Pick your favorite Cloud and there is most likely a weakness there.
The real issue here is that creating an API is not a simple task, they need to be architected with security, compliance, and usability built-in from the beginning. Attempting to bolt-on security to a Cloud API will cause not only issues with the API, but create an issue with auditing and possibly compliance regulation. We discussed how Cloud APIs could be in future PCI Compliance.
The real question becomes how can you audit the API to ensure that it provides adequate security?