Insecure interfaces and apis in cloud computing

Insecure Interfaces and APIs APIs within cloud environments are used to offer end-customers software interfaces to interact with their provisioned services. 

There are multitudes of APIs available within a cloud environment; these can include provisioning new hardware and monitoring the cloud services, as just two examples. 

According to API Management Company, Mashery, there exist three categories of Cloud APIs26; these are

Control APIs

Control APIs
Control APIs

APIs that allow the end customer to configure their cloud provisioned service. 

Amazon EC2 provides a multitude of APIs that allow customers to configure their services, as defined within the Amazon Elastic Compute Cloud: API Reference.

Examples include the allocation of internet protocol (IP) addresses, creating/editing of access control lists, or monitoring of specific instances

Application functionality APIs

Application functionality APIs
Application functionality APIs

Although the earlier APIs provide the ability to transfer data between alternate providers, or indeed management of the overall solution, the application functionality APIs can provide considerably more functionality that the end customer can interact with, ranging from the simple availability of shopping baskets to integration with social networking solutions, and considerably more in between.

Indeed, these security considerations may not even be malicious, whereby an administrator may inadvertently invoke an action that may have significant repercussions. 

Consider the command available for EC2 customers entitled ec2-terminate-instances. 

As you can likely guess, this command will terminate an EC2 instance, this action implies that the data stored within the instance will also be deleted.

To reduce the risk of such an action being inadvertently carried out, there is an opportunity to implement a safeguard to prevent inadvertent deletion using a feature available through the AWS console, command-line interface, or API. 

Such a feature protects against termination with the DisableApiTermination attribute; this controls whether an instance can indeed be terminated using the console, Command Line Interface, or an API.

While such a feature, or rather attribute, is an important step in preventing accidental deletion of a particular instance, it is only one example of where an accidental action can have significant repercussions. 

A simple error such as mistyping the IP address for an instance is equally likely to result in the unavailability of the provisioned service and does not have the luxury of an attribute to protect against the error. 

While of course, the latter example is a simpler fix than the deletion of an instance, these examples do demonstrate some of the challenges facing the use of cloud APIs.

Other challenges facing cloud end customers, and their use of APIs, are also malicious attempts to circumvent the authorized process. 

In a recent article published by DarkReading, author Rob Lemos presents the security risks API keys present to their end customers. 

Such keys are utilized to identify applications utilizing provisioned services; however, should such keys fall into the hands of malicious actors they can be used to capture confidential data or rack up fees.

Solution:

For the end customer. The issue has arisen not due to a weakness in the keys themselves, but rather how they are managed, whereby in particular implementations they are used to identify users, and as such are not protected by developers as assets that are critical to the business with examples of them being e-mailed and being stored on desktop hard drives.

Leave a comment

Copy link
Powered by Social Snap