Skip to main content

How policy-as-code can simplify API security

Most organizations today use hundreds  of applications in their environment, and with that they employ hundreds of APIs to connect these to the necessary web servers. Due to the flow of sensitive information, it’s crucial to manage policies that ensure controls are in place to only authorize appropriate access, as well as actions that can be taken with that access. 

Before we dive in on the subject of API Security, I want to define exactly what I’m talking about here because often people immediately think of the OWASP top 10, vulnerabilities around SQL injection and so on. Preventative steps and solutions that address those vulnerabilities are certainly crucial, but what I’m referring to is the practice of establishing attribute-based access control (ABAC) policies around what actions can be taken, by who or what (be it an identity or another application), and under what context/conditions. For security-centric organizations, it is important to establish modern approaches to writing authorization policies that can scale with your API development strategy and team. 

Until recently, the manner in which most organizations tackled this challenge was by writing ad-hoc policies developed and managed in silos across the organization. Whether developers leverage languages such as Python or REGO, or use something more specific to authorization such as ALFA (Abbreviated Language for Authorization), a domain-specific language often used in writing access-control policies, available via the Organization for the Advancement of Structured Information Standards, there is a need to clearly define policies that include those attributes that need to be considered, under what conditions and even in relation to each other. 

Policy-as-code does this by removing security silos and combining configuration and compliance into one step. This enables organizations to employ testing and validation of the policies as part of a centralized process that also captures version control. Since developers are dealing with hundreds of applications, this approach also increases the speed and efficiency compared to a manual approach of addressing each API and application individually.  

Now with respect to simplifying API security, there are a number of aspects a policy-as-code approach brings to organizations. 

Establishing Best Practices

First, policy-as-code enables organizations to consistently adopt many best practices we see around authorization directly within the development life cycle. APIs should never be viewed with a set-and-forget mindset but rather treated as a key element of your software development life cycle. By approaching them in the same manner as you would approach any new code, you can ensure proper testing and post release monitoring is done. 

Shift Left

Many organizations continue to have conversations as to how they can Shift Left and bring security to the beginning of the development process. Leveraging a policy-as-code approach brings access considerations to the beginning of the development process, which again provides a more comprehensive approach to simplifying API security. Too often, especially when dealing with custom one-off development for a specific application, security is the afterthought. Leveraging an API to solve the business problem becomes the priority and at the 11th hour, the project comes to a screeching halt as only then someone from the security team is made aware. The result –  there’s now an exercise in fitting controls into the solution after the fact and as we know that is exponentially more expensive than building the right policies in from the start of development

This is a real problem and in a recent survey conducted by 451 Research, 35 percent of respondents said they have delayed projects due to API security concerns, with 87 percent of respondents believing that integrating API security testing into developer pipelines could have prevented delays.  

It’s All About Policies

The third key benefit to this approach is that since you are now capturing all these policies in a centralized repository, your team can learn from and leverage other team members’ more complex, dynamic policies. In fact, you want your policies to be dynamic, as the whole point of security doctrines such as Zero Trust is to leverage as many attributes as necessary to understand the context of a request and determine the appropriate response. A policy that is dynamic and able to pivot due to additional attributes is incredibly valuable not only from a security perspective, but also because it enables your business to continue with some caveats, such as PII being anonymized in certain conditions, as opposed to simply denying the user access outright and forcing business to stop. 

By leveraging a policy-as-code approach organizations can actually go one step further and take the authorization process out of the APIs and applications to externalize it in one central policy decision point (PDP) for all applications within an organization. This means that instead of every development team having to master the ABAC concept, they simply write a standard API that is used to connect to a main ABAC REST API. 

That way, whenever a new API is needed or a change is required, one development team can easily do that ABAC coding in the one central location of which all other teams connect to. For example, if a change must be made due to a new compliance law coming into effect, it can be made in this one location for all applications that have policies affected by the law.

The bottom line is that a policy-as-code approach is good for all aspects of the business. It means better API security practices, less delays for the business in getting their projects completed and it empowers developers to tap into and build upon a growing library of dynamic policies within their organization. Considering that API attacks rose by 681% in the last twelve months, the time to start moving to a policy-as-code approach is now.

The post How policy-as-code can simplify API security appeared first on SD Times.



from SD Times https://ift.tt/zTIs13Y

Comments

Popular posts from this blog

Difference between Web Designer and Web Developer Neeraj Mishra The Crazy Programmer

Have you ever wondered about the distinctions between web developers’ and web designers’ duties and obligations? You’re not alone! Many people have trouble distinguishing between these two. Although they collaborate to publish new websites on the internet, web developers and web designers play very different roles. To put these job possibilities into perspective, consider the construction of a house. To create a vision for the house, including the visual components, the space planning and layout, the materials, and the overall appearance and sense of the space, you need an architect. That said, to translate an idea into a building, you need construction professionals to take those architectural drawings and put them into practice. Image Source In a similar vein, web development and design work together to create websites. Let’s examine the major responsibilities and distinctions between web developers and web designers. Let’s get going, shall we? What Does a Web Designer Do?

A guide to data integration tools

CData Software is a leader in data access and connectivity solutions. It specializes in the development of data drivers and data access technologies for real-time access to online or on-premise applications, databases and web APIs. The company is focused on bringing data connectivity capabilities natively into tools organizations already use. It also features ETL/ELT solutions, enterprise connectors, and data visualization. Matillion ’s data transformation software empowers customers to extract data from a wide number of sources, load it into their chosen cloud data warehouse (CDW) and transform that data from its siloed source state, into analytics-ready insights – prepared for advanced analytics, machine learning, and artificial intelligence use cases. Only Matillion is purpose-built for Snowflake, Amazon Redshift, Google BigQuery, and Microsoft Azure, enabling businesses to achieve new levels of simplicity, speed, scale, and savings. Trusted by companies of all sizes to meet

2022: The year of hybrid work

Remote work was once considered a luxury to many, but in 2020, it became a necessity for a large portion of the workforce, as the scary and unknown COVID-19 virus sickened and even took the lives of so many people around the world.  Some workers were able to thrive in a remote setting, while others felt isolated and struggled to keep up a balance between their work and home lives. Last year saw the availability of life-saving vaccines, so companies were able to start having the conversation about what to do next. Should they keep everyone remote? Should they go back to working in the office full time? Or should they do something in between? Enter hybrid work, which offers a mix of the two. A Fall 2021 study conducted by Google revealed that over 75% of survey respondents expect hybrid work to become a standard practice within their organization within the next three years.  Thus, two years after the world abruptly shifted to widespread adoption of remote work, we are declaring 20