Hackers once again hit U.S. wireless operator T-Mobile, this time accessing data for 37 million customers via a vulnerable API. The attack is just the latest in a string of high-profile incidents which leveraged APIs and have left cloud network architects wondering just how safe their deployments are.
APIs, or application programming interfaces, are protocols which are used to build and integrate different software components. While they existed before the cloud, they are now used to develop and run all sorts of cloud applications.
According to Moor Insights and Strategy principal analyst Anshel Sag, “API attacks are increasing in frequency as hackers look for new weaknesses in companies' security strategies.” These kinds of attacks are favored because APIs serve as the connection points between different services, meaning “if there is a weakness in one, it becomes the new source of attack.”
Thus, these kinds of threats fall under the category of supply chain attacks, he added. “Supply chain attacks look for an adjacent vendor who might have less secure systems and attacks them and then uses them as the foot in the door to attack the intended target,” he explained. Another high-profile example of such an attack was the SolarWinds breach in 2020.
Should you worry about your cloud APIs?
So, how worried should cloud network architects be and what can they do to mitigate the threat?
Ory Segal, CTO of Prisma Cloud at Palo Alto Networks, told Silverlinings there are a few different kinds of API attacks that can impact cloud infrastructure.
“Unauthorized access to cloud APIs may grant a user the ability to control the underlying infrastructure and services that drive our application — for example, a user may access public cloud data services such as storage buckets, databases or message queues.
This access could lead to data leakage, but it can also lead to denial of service as a result of taking the infrastructure offline entirely,” he said. “Another possible attack vector would be to leverage cloud APIs to construct a farm of cloud servers or containers, for the purpose of abusing this ‘compute’ power for all sorts of purposes such as bitcoin mining.”
Segal noted securing cloud APIs requires a different kind of approach than locking down traditional APIs since “we do not control the endpoints.” Thus, cloud architects “have to rely on strict IAM permissions, apply least-privileged access controls in order to reduce the blast radius, apply anomaly detection to detect abuse of cloud identities, and of course constantly monitor cloud APIs audit logs.”
The CTO said most cloud development and security teams are already well aware of the threats posed by exposed APIs. However, he noted development teams are frequency pushed to release new features and applications on a shortened timeline and project owners oftentimes don’t prioritize API security or, if they do, don’t specify the security standards they’re looking for.
Thus, a first step in the right direction is to clearly define and make API security a top priority for every project, he continued. In addition to running a security analysis of finished applications, “you should deploy an application security solution that provides visibility and attack prevention for all types of API endpoints, and you should actively monitor and log access to APIs,” Segal concluded.
Do you think cloud APIs are a security risk? Let us know by sending a letter here.