Security checklist for REST API
Hi Team,
Our organization is looking to develop a REST API that requires constant secure integration with external entities including the government authorities to fetch PHI as per the project requirements.
As any cybersecurity specialist, I have to help the team to secure API as much as possible. Basically, we follow ISO27001 framework. My queries are but not limited to
How should this server call backend databases? What best network architecture should be applied?
What various security elements should be implemented?
How to secure the data?
Appreciate any advice and suggestions
Are you referring to server hosting the API or there should be another server behind it before communicating to backend database. Is that what you mean? What best practice does the industry follows to integrate API with backend DBs?
Yes. It depends on what your applications do, but in many cases the below would be a good place to start:
Internet > External Firewall > WAF* > Load balancer* > Front end server hosting API > Internal Firewall > Application server > Some form of firewall if possible > Databases/file storage.*Worth noting that some external firewalls include WAF functionality. depends on your preference but there are benefits to having separate units if viable. also WAF can go either side of your firewall, depending on makes/models/types etc.
* Load balancers if you have multiple servers to spread load or for HA/DR purposes. Again, could be part of another device, like a WAF.
Adding some suggestions, would that applicable to put IP restriction and mutual cert authentication to make sure API call is coming from only the trusted sources?
It would be good to where viable yes. The exact method depends on your circumstances.
e.g. some form of authentication would be minimal. Mutual cert auth is one of the better options.
ASKER
If we have single API URL used with partnered and public integration, what are the best possible ways to whitelist specific IPs?
If its 'public' you may not be able to whitelist at all as that would prevent public access.
May be possible to consider what functionality is needed by who.
If everything is needed by public, you may not be able to whitelist incoming traffic.
If you can identify some elements/code that is not needed by public, particularly if those elements provide additional access or involve data, you could deploy two separate sites/endpoints:
- One for public with only the functionality needed and no whitelist.
- One with additional functionality for partners via a whitelist.
ASKER
If we deploy two seperate on same URL, then on firewall incoming traffic would allow and restrict the IPs on API endpoints on the server
Is that what you mean, Steve?
ASKER
Yes we do have WAF, and we can manage by redirecting the traffic to appropriate the site path and whitelist with only specific IPs.
You're welcome.
Agree with expert, and I will also say unless the IP is static otherwise you be whitelisting continuously. If indeed it is pt to pt, private link in AWS context for endpoint is the approach with IAN role. What I am alluding to is go more towards authenticated access as IP whitelisting can be bypassed thru spoofing. This is also why API gateway can be considered to managed public and private API exposed.
ASKER
Thank you, Steve, for the valuable suggestions and comments. Surely, I am working on improving my cybersecurity career. Of course, technical forums are just for seeking suggestions however at last risk analysis based on Threat Modeling would be carried out and policies and technical controls would be applied based on the organization goals.
Anyways, coming to the question, and thanks again for the detailed response.
Just trying to understand one point you mentioned regarding front end. Are you referring to server hosting the API or there should be another server behind it before communicating to backend database. Is that what you mean? What best practice does the industry follows to integrate API with backend DBs?
Adding some suggestions, would that applicable to put IP restriction and mutual cert authentication to make sure API call is coming from only the trusted sources?
@Btan: Thank you so much for adding your valuable inputs as well. That cheat sheet is very helpful.
Thank you.