Download API Security Control Selection and Justification: A Comprehensive Guide and more Assignments Computer Networks in PDF only on Docsity!
Rubri
c
Criteria
Include problem statement from previous deliverable
Total
Identification of two alternative security controls 20
Qualitative analysis of risks 20
Security control selection and justification 30
Risk matrix chart (See Appendix A) 20
Total 100
Alternative Security Controls
Administrative Controls
API Security Governance Policy
API Security Training for IT Staff and
App Developers
Technical Controls
API Gateway with Security Features
Integrated
Automated Vulnerability Scanning
on APIs
Physical Controls
Restrict access to Servers Hosting
APIs
Qualitative Analysis (Administrative
- (^) API Security (^) Controls) Governance Policy
(^) Effectiveness
- Establishes a Governance Structure Ensures all API management and development processes follow best security practices
- (^) Operation
- (^) Requires a clear written policy with guidelines
- (^) Enforcement of authentication standards
- (^) API development with Audits/Compliance
- (^) Availability (High)
- (^) Enforced across the organization
Cost (Low)
- Drafting written policies Providing training Revisions to keep up to
- Implementation^ date Issues
- (^) Resistance from departments may occur when policy disrupts existing workflows
- (^) Overall Benefit
- (^) Promotes security awareness
- (^) All future API development minimize the risk of potential security vulnerabilities
Qualitative Analysis (Technical Controls)
- (^) API Gateway with Security Features Integrated
- (^) Effectiveness
- (^) Centralized Security Policies
- (^) Detect and Block Insecure Traffic
- (^) Operation
- (^) Monitors Traffic and Applies Security Rules
- (^) Ensures Legitimate Requests Reach API
- (^) Availability (High)
- (^) Redundancy and Fault Tolerance (Deployed with Cloud or Hybrid Solution)
Cost (Moderate-High)
- Cloud Based Solution On-Premise Solution
- Implementation Issues
- (^) Significant Setup and Integration Efforts
- (^) Continuous Management and Configuration updates
- Overall Benefit
- (^) Comprehensive Protection against common API vulnerabilities and attacks
Qualitative Analysis (Technical Controls)
- (^) Automated Vulnerability Scanning on API’s
- (^) Effectiveness
- (^) Identify potential vulnerabilities within API’s before they can be exploited
- (^) Operation
- Scan APIs at Regular Intervals
- (^) Identify Risks and Suggest Remediations
(^) Availability (High)
- Scans can be scheduled to run automatically Available in both Open-Source and Commercial Software
- Cost (Low-Moderate)
- (^) Dependent on the Software used
- Implementation Issues
- (^) False Positives
- (^) Manual Validation
- (^) Overall Benefit
- (^) APIs remain secure during and after development
- (^) Minimize the risk of Unauthorized Access or Data Breaches
Security Control Selection - (API Gateway with Security Features Integrated)
- (^) Internal Network Connection
- (^) API Gateway sits between the internal network and external users/systems
- (^) API Gateway connects to Application Servers using secure protocols (HTTPS, TLS)
- (^) Routes Valid API requests to Microservices to Authenticate, Authorize, and Encrypt
the traffic before it enters the internal network
- (^) Gateway will communicate with monitoring systems to log activity and detect issues
with traffic patterns
Security Control Selection - (API Gateway with Security Features Integrated)
- (^) Internet Connection
- (^) API Gateway acts as a secure access point for External Consumers
- (^) All External API requests are filtered through the Gateway
- (^) Traffic Inspection
- (^) Rate Limiting
- (^) Authentication
- (^) Data Encryption between VS&CO’s APIs and External Consumers (SSL/TLS)
Security Control Selection - (API Gateway with Security Features Integrated)
- User Access
- (^) External Users (Customers, External Services)
- (^) Secure API Calls via Internet
- (^) API Gateway Authenticates and Authorizes all Traffic
- (^) Internal Users (IT Staff, Developers)
- (^) Web-based Interfaces
- (^) CLI
- (^) Multi-Factor Authentication
- (^) Security Teams
- (^) Integration with internal security tools
Cyber Security
System
Diagram
CIA Triad
Security Control API Security Policy Confidentiality High Integrity Medium Availability High Security Training Medium Medium High API Gateway High High High Vulnerability Scanning Medium High High Physical Access Control High High High
Risk Matrix Chart
Risk Likelihood (1-5) Impact (1-5) Overall Risk (Likelihood x Impact) Data Breach 4 5 20 Unauthorized Access 5 5 25 Service Disruption/Downtime 4 4 16 Data Integrity Compromise 3 5 15 Reputational Damage 5 5 25 Legal/Compliance Penalties 4 5 20
Mitigating Risk (API Gateway)
- (^) Rate Limiting
- (^) DDoS Protection
- (^) Load Balancing Service Disruption/Downtime
- (^) Input Validation
- (^) Traffic Monitoring
- (^) Data Verification Data Integrity Compromise
Mitigating Risk (API Gateway)
Reputational Damage
Prevents the following events from occurring
causing public reaction
- (^) Data Breaches
- (^) Service Outages
- (^) Unauthorized Access Legal/Compliance Penalties
Enforce Security and Compliance Standards
- (^) Data Encryption
- (^) Secure Authentication