The key to these advances is the Application Programming Interface (API). In a nutshell, APIs are the rules that determine how applications interface with cloud-side service offerings to enable enterprises to reach far beyond their own web properties to distribute data, content or services that have relevance to their business operations. Effectively these APIs are the interface to the business services and access to APIs is controlled by API keys. API keys are codes generated to control and manage access to these services and most organizations use some form of API keys to access their cloud services.
Much lip service is paid to protecting information in the Cloud, but the reality is often a seat-of-the-pants policy approach to Cloud security. As noted, the API keys control access to business sensitive information – or the riches of your cloud assets- in the Cloud (e.g. email, sales leads, or shared documents) and pay-as-you-use Cloud services. As such, if an organization condones the casual management of API keys they are at risk of:
1) unauthorized individuals using the keys to access confidential information and
2) the possibility of huge credit card bills for unapproved access to pay-as-you-use Cloud services.
In effect, easily accessed API keys means potentially anyone could use them to run up bills, this is akin to having access to someone's credit card and making unauthorized purchases. Yet despite this, API keys are often emailed around an organization without due regard to their sensitivity, or stored on file servers accessed by many people.
In summary, as organizations increasingly access Cloud services,readers need to ask themselves if they have implemented a corporate-wide policy for the protection of API Keys, just as they have passwords and private keys. The secure storage of API keys demands that operations staff can apply a policy to their key usage. It also means that regulatory criteria related to privacy and protections of critical communications are met. It is clear the casual use and sharing of API keys is an accident waiting to happen. As such, regardless of how an organization chooses to manage API keys, either using a home grown approach or off-the shelf product, the critical goal is to safeguard the access and usage of these keys.
For further reading on API Keys please reference the following article on the Cloud Security Alliance blog:
“Extend the enterprise into the cloud with single sign- on to cloud based services.”
Hugh Carroll is VP of Marketing at Vordel, a provider of Cloud Gateways to protect, connect and accelerate enterprise to Cloud connections.
Get HelpContact Us
Follow Us on: