Enhancing API Security: Dynamic Authorization to Protect Sensitive Data
(September 11, 2017) Axiomatics’ Gerry Gebel featured in CSO Online
API Gateways effectively manage the authentication of the user and provide service orchestration capabilities, but if sensitive data is involved, additional fine-grained authorization capabilities are required.
Digital transformation continues to be a priority as organizations realize the potential business benefits of becoming a digital organization. The internal efficiencies gained often mean improving the speed to market for new products, and a deeper level of customer engagement and satisfaction. However, this kind of transformation also means a change in the complexity of the IT ecosystem. The demands on day-to-day IT operations can be a major challenge as often this means managing both cloud native and existing, on-premises IT infrastructure.
Applications Program Interfaces (APIs) and microservices are the latest approach to breaking down large monolithic applications and merging legacy systems with new IT platforms. They have revolutionized the way we exchange data and have become the preferred method for exposing data to external parties. With a microservices architecture, the functions of an application are built as discrete components that communicate with each other via APIs. This approach lends itself to a faster, almost continuous development and deployment cycle.
APIs that handle sensitive data pose security and data access control threats, require advanced security solutions. An important component in API security is the management and enforcement of the authentication and authorization permissions of users. API Gateways effectively manage the authentication of the user and provide service orchestration capabilities. But if business critical data, personal identifiable information (PII) or any other sensitive data is involved, additional fine-grained authorization capabilities are required.
Combining an API Gateway with a policy-based contextual approach can help. This scalable, forward-thinking way of managing access can help enterprises address business challenges by dynamically controlling access rights across an entire enterprise. This enables enterprises to manage the actions individuals or services can carry out on information assets such as documents, transactions and records.
Dynamic authorization is sometimes also known as Attribute Based Access Control (ABAC). It’s being used by many enterprises and continues to gain momentum as the industry standard for access control. In case anyone is unfamiliar with dynamic authorization or ABAC, I’ll define it so everyone is on the same page.
Dynamic Authorization (or ABAC)
Dynamic authorization, also called ABAC and pronounced [aye-back], uses a policy based-approach to govern who can access certain information under what conditions; using attributes to build policies that help define precise scenarios under which access should be granted. Dynamic authorization uses a standards-based and rich policy language to capture policies and rules.
It enables explicit policies allowing for many discrete inputs into an access control decision, providing an extensive set of possible combinations of those variables to reflect a broad set of possible rules, policies or restrictions on access. This is all done in real time to provide the level of service required by users in today’s digital society. A dynamic authorization foundation is critical for securing sensitive data transferred via APIs.
Securing APIs at the gateway layer
Dynamic Authorization ensures only the right users get access to the right information under the right conditions. With the use of dynamic authorization that is driven by policies, user permissions can be aligned with rules, regulations and corporate policies, thus protecting sensitive information and enhancing API security.
A great example is in the management of PII and health records. Let’s say, a health insurance customer wishes to change their insurance policy online, additional authorization checks must be made that cannot be managed by the API Gateway. For example, have all bills been paid or have due dates been exceeded? If the user is a parent, can the plans of a child be accessed? If the user is an HR representative of a corporate client, does the contract allow changes to be made for a given company employee? A dynamic authorization solution will check business policies to identify which factors need to be considered. It will then return a “permit” or “deny” to the request after all these factors have been considered – a seamless experience to the user.
With a rich authorization language and a dynamic authorization solution that can derive the right context in every access request, organizations will minimize the need for the API developer to design, implement and maintain authorization policies. In addition, a dynamic authorization solution can allow for consolidation of APIs; one single API could potentially serve multiple user communities, limiting the need to develop specific APIs for each user type.
This type of fine-grained access control adds the extra layer of security that is required to support new, API-driven, business opportunities, while meeting compliance regulations. Any organization using APIs to exchange sensitive data should implement a dynamic authorization solution before they get left behind.
This article is published as part of the IDG Contributor Network.