Protecting API keys in the cloud improves enterprise cloud security

Source: Internet
Author: User
Keywords These security cloud services improved
Tags access api clear cloud cloud security cloud service cloud services code

The API key, like the SSL key, is the top priority in security policy. Many people verbally say they want to protect the information in the cloud, but in fact we are all stones in cloud security. Most organizations use some form of API key to access cloud services. The protection of these API keys is important. This article will discuss the issue of protecting API key and recommend some solutions.

In the 2011, the importance of API keys was gradually recognized, and companies were more aware of their full protection of these keys. After all, the API key is directly related to sensitive information in the cloud. If an enterprise's API Key management is loose, then the enterprise is under these threats: 1. Unauthenticated user access secret information using key; 2. Unauthorized access to the cost-support appropriation service may result in large credit card bills.

In fact, easy access to API keys means that anyone can use these keys and can generate huge costs on a virtual machine. This is similar to using someone's credit card and then making unauthorized purchases.


As you know, many cloud services are accessed through a simple Rest Web service interface. Usually we call them APIs because they are similar to the concept of the heavyweight API in C + + or VB. But it's easier for users to use these APIs on Web pages or mobile phones. In short, API keys are used to access cloud services. Gartner's Darryl Plummer that cloud technology should combine services. Companies want to connect their local-run applications to cloud services, connecting cloud services to cloud services. All of these connections should be secure, and their performance should be monitored.

Obviously, API key controls are tools that touch the important content of cloud services, but these keys are often sent by mail or stored in a file server for most people to use. For example, if an enterprise is using SaaS products, such as Gmail, they usually get the API keys back from Google. This API key is valid only for the enterprise and allows employees to log in and access the company's mailbox.

How do I protect an API key?

The API key must be protected as a password and a private key. That means they should be kept in a file system like a file, or in a relatively easy to analyze application. In the case of cloud Service broker, where the API key is saved in encrypted form, it provides the option to save the API key on the hardware when using the hardware security Module (HSM). Because HSM vendors include: Sophos-utimaco,ncipher,thales,safenet and Bull, they now support material storage, not just RSA/DSA keys. A secure API Key store means that an operator can apply a policy to key usage. and privacy-related guidelines are protected from key communications.

▲ Figure I: The broker pattern for protecting API keys

The following are common ways to handle API keys:

1, the developer uses the mail to send the API key: The enterprise usually uses the mail to send the API key to the developer, but the developer then copies it to the code. This kind of loose operation has the security hidden trouble therefore should try to avoid. In addition, if a developer copies an API key into the code, a request for a Xinmi key can cause additional work by making a replacement request for the code.

2. Configuration file: Another common scenario is that the developer places the API key in a system configuration file that is easily found. People should treat the API key with the private SSL key. In fact, if the API key is in the wrong hands, it is more harmful than the private SSL key. For example, if someone uses an Enterprise API key, the enterprise will pay for it. The solution is to give the key to a dedicated security network architecture. This involves the cloud service proxy architecture, which manages the API key through the agent product.

3. Key directory: One way to avoid API management is to deploy a clear security policy related to the key. Ideally, this should fall under the control of corporate security policy, with a clear regulatory and accountability system in place. This approach is based on a detailed catalog of reserved API keys. Although such catalogs have their advantages, many enterprises still have to use the mobile method to track API keys.

These enterprises should ask the following questions when developing the API Key directory:

A what is the key used for, and for what purpose?

b who is responsible for the proprietary key?

C is there a validity period for the use of the key? How to notify the user before the expiry date? Is there a clear solution to the expiration key? It can cause havoc when the password expires.

The directory can be managed in its own encrypted Excel datasheet or in a database or through other proprietary products. The disadvantage of this approach is that you can manage data tables or data for a slightly longer period of time and cause human error. The alternative is to take advantage of off-the-shelf products, such as cloud service proxies. In addition to providing other services, agents can make it easy for organizations to view key information about API keys, including identifying who should be responsible for the API, and providing usage information and expiration dates for APIs.

4. Encrypted file storage: A greater threat occurs when developers attempt to deploy their own security policy for the API key. For example, the developer knows that the API key should be protected and will choose to keep the key where it is difficult to find--sometimes using cryptographic algorithms or hiding the key in a file or registry. There is no doubt that some people will not be able to find these key caches at first, but soon the information will be made public in the enterprise. This kind of mistake confirms the proverb that "cannot obtain security by hiding".

All in all, because enterprises are using cloud services more and more, this may result in the use of API keys too loosely or shared. Whether the enterprise chooses to manage the API key or use off-the-shelf product management, the key is to protect the access and use of the key.

Here we encourage CIOs and CSO to view the API key as a security policy equivalent to the SSL private key status. It is recommended that you treat API keys as sensitive resources because they can access sensitive information directly. Effective management of the API key can improve the enterprise cloud security, avoid unauthorized charges or the disclosure of sensitive information.

(Responsible editor: The good of the Legacy)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.