API Security Control Selection and Justification: A Comprehensive Guide, Assignments of Computer Networks

Download API Security Control Selection and Justification: A Comprehensive Guide and more Assignments Computer Networks in PDF only on Docsity!

Rubri

c

Criteria

Include problem statement from previous deliverable

Total

Identification of two alternative security controls 20

Qualitative analysis of risks 20

Security control selection and justification 30

Risk matrix chart (See Appendix A) 20

Total 100

Alternative Security Controls

Administrative Controls

API Security Governance Policy

API Security Training for IT Staff and

App Developers

Technical Controls

API Gateway with Security Features

Integrated

Automated Vulnerability Scanning

on APIs

Physical Controls

Restrict access to Servers Hosting

APIs

Qualitative Analysis (Administrative

• (^) API Security (^) Controls) Governance Policy

  • (^) Effectiveness

    • Establishes a Governance Structure Ensures all API management and development processes follow best security practices
  • (^) Operation
    • (^) Requires a clear written policy with guidelines
    • (^) Enforcement of authentication standards
    • (^) API development with Audits/Compliance
  • (^) Availability (High)
    • (^) Enforced across the organization

  • Cost (Low)

    • Drafting written policies Providing training Revisions to keep up to
  • Implementation^ date Issues
    • (^) Resistance from departments may occur when policy disrupts existing workflows
  • (^) Overall Benefit
    • (^) Promotes security awareness
    • (^) All future API development minimize the risk of potential security vulnerabilities

Qualitative Analysis (Technical Controls)

• (^) API Gateway with Security Features Integrated
  • (^) Effectiveness
    • (^) Centralized Security Policies
    • (^) Detect and Block Insecure Traffic
  • (^) Operation
    • (^) Monitors Traffic and Applies Security Rules
    • (^) Ensures Legitimate Requests Reach API
  • (^) Availability (High)
    • (^) Redundancy and Fault Tolerance (Deployed with Cloud or Hybrid Solution)

  • Cost (Moderate-High)

    • Cloud Based Solution On-Premise Solution
  • Implementation Issues
    • (^) Significant Setup and Integration Efforts
    • (^) Continuous Management and Configuration updates
  • Overall Benefit
    • (^) Comprehensive Protection against common API vulnerabilities and attacks

Qualitative Analysis (Technical Controls)

• (^) Automated Vulnerability Scanning on API’s
  • (^) Effectiveness
    • (^) Identify potential vulnerabilities within API’s before they can be exploited
  • (^) Operation
    • Scan APIs at Regular Intervals
    • (^) Identify Risks and Suggest Remediations

  • (^) Availability (High)

    • Scans can be scheduled to run automatically Available in both Open-Source and Commercial Software
  • Cost (Low-Moderate)
    • (^) Dependent on the Software used
  • Implementation Issues
    • (^) False Positives
    • (^) Manual Validation
  • (^) Overall Benefit
    • (^) APIs remain secure during and after development
    • (^) Minimize the risk of Unauthorized Access or Data Breaches

Security Control Selection - (API Gateway with Security Features Integrated)

• (^) Internal Network Connection
  • (^) API Gateway sits between the internal network and external users/systems
  • (^) API Gateway connects to Application Servers using secure protocols (HTTPS, TLS)
  • (^) Routes Valid API requests to Microservices to Authenticate, Authorize, and Encrypt

the traffic before it enters the internal network

• (^) Gateway will communicate with monitoring systems to log activity and detect issues

with traffic patterns

Security Control Selection - (API Gateway with Security Features Integrated)

• (^) Internet Connection
  • (^) API Gateway acts as a secure access point for External Consumers
  • (^) All External API requests are filtered through the Gateway
    • (^) Traffic Inspection
    • (^) Rate Limiting
    • (^) Authentication
  • (^) Data Encryption between VS&CO’s APIs and External Consumers (SSL/TLS)

Security Control Selection - (API Gateway with Security Features Integrated)

• User Access
  • (^) External Users (Customers, External Services)
    • (^) Secure API Calls via Internet
    • (^) API Gateway Authenticates and Authorizes all Traffic
  • (^) Internal Users (IT Staff, Developers)
    • (^) Web-based Interfaces
    • (^) CLI
    • (^) Multi-Factor Authentication
  • (^) Security Teams
    • (^) Integration with internal security tools

Cyber Security

System

Diagram

CIA Triad

Security Control API Security Policy Confidentiality High Integrity Medium Availability High Security Training Medium Medium High API Gateway High High High Vulnerability Scanning Medium High High Physical Access Control High High High

Risk Matrix Chart

Risk Likelihood (1-5) Impact (1-5) Overall Risk (Likelihood x Impact) Data Breach 4 5 20 Unauthorized Access 5 5 25 Service Disruption/Downtime 4 4 16 Data Integrity Compromise 3 5 15 Reputational Damage 5 5 25 Legal/Compliance Penalties 4 5 20

Mitigating Risk (API Gateway)

• (^) Rate Limiting
• (^) DDoS Protection
• (^) Load Balancing Service Disruption/Downtime
• (^) Input Validation
• (^) Traffic Monitoring
• (^) Data Verification Data Integrity Compromise

Mitigating Risk (API Gateway)

Reputational Damage

Prevents the following events from occurring

causing public reaction

• (^) Data Breaches
• (^) Service Outages
• (^) Unauthorized Access Legal/Compliance Penalties

Enforce Security and Compliance Standards

• (^) Data Encryption
• (^) Secure Authentication