Permissioned API

The current state of APIs

Micro-architectures have solved a big problem of enterprise collaboration and innovation. The magic of cloud added with micro-architecture has ushered open ecosystem through API gateways for enterprises. APIs are important for enabling innovation. Either a company working with startups or a consortium of organizations, one needs to let external parties access internal data and transactions. Without that collaborations are almost impossible unless a SWIFT is created for all banks. That’s costly one off exercise which is not going to be repeated.

But this also opens the doors wide open for intruders and unwanted elements. Such groups are often summarised as hackers. APIs have become the favorite low hanging fruits for hackers. Security is important to have but open risks aren’t. And this is high time we find a solution.

Industry Standard of Secure APIs

API security has been well studied topic for over 2 decades. As per Redhat API Security recommendation, here are the key design parameters for a secure API gateway:

  • Use tokens to establish identities – Assigning a token based on role and accesses allowed for a given user. But not just that, with blockchain, you can get access to limited identity of the actual end user or a series of end users.
  • Use encryption and signatures – Not just for TLS but also for actual execution end points with blockchain capabilities.
  • Keep discovering and fixing vulnerabilities – The first task in this direction is to update your stacks and drivers to ensure that your IT is running with latest security considerations. Secondly and most importantly, you should have an internal task force for continuous testing of all such API endpoints. Thirdly, your organization needs to allow external collaborative hackers to contribute to your testing and discoveries through a bounty program.
  • Use quota and throttling – This is a no brainer by this date that how tracking usage of APIs leads to differentiating abuse against right use. But the next step in this direction is about self metered endpoints. Adding a blockchain access for APIs can lead to automatic metering. If your organization issues a certain number of tokens, the blockchain system will limit the overuse and fair use just out-of-the-box. 
  • Use API Gateway – API gateways are now defacto rule for api implementation. Their success depends on have a strategic API program to build a useful api gateway which has lesser redundancy and higher impact. 

Introducing new State-of-the-art API blockchain security

Blockchains have come a long way from hype to reality. The era of crypto currency boom gave it a lot of limelight which also led to misunderstanding. Once touted as silver bullet to every problem of the universe, we know blockchains a lot better now. We have explained our perspective on business blockchains which you can refer to.

The state-of-the-art blockchain security comprises of 2 important elements:

  1. Identity – The consumer of your APIs
  2. Workflow – The consumption pattern

Identity and workflow elements expand the current possibilities in API economy. So far organizations were limited upto bringing the endpoints out of their IT security wall. Because anything beyond that is aspirational but too risky. Too much of access to outside agents to design transaction processing or new product offering mingled with yours is beyond current capabilities. That’s why identity and workflow provide organizations the required capabilities beyond your IT walls and still in full control of your organization in terms of access, security, privacy, anonymity among many other enterprise security needs. That’s where the key features of blockchain provide this out of the box functionality:

  • immutability – Data cannot be changed once written
  • decentralized – The participants do not have to follow a single gateway. Your APIs can be used to fuse and build new product offerings. Think of Star Alliance in airline industry. With blockchain API, there could be many star alliances alikes can be formed and not just for airlines but also for hotels, malls, transporters, etc.
  • hashing – For end users, blockchain is just hashes. Theoretically and practically, no one can read anything else than numbers. And still all parties would agree about the right set of numbers. All this while, the parties having the private keys for respective data elements can read and write data on to blockchain. This is the real beauty of blockchain. No other open system has been so fluid to being consistent and obscure at the same time.
  • no double talk(spend) – Blockchain based messaging(spending) are metered. It is not like chat where you can retract. What you said once becomes your state. And everybody can verify.
  • trustless – All the above 4 features of blockchain make it a trustless conduit of trust. You don’t have to know anyone, but you can still trust that the coded rules perform their job as designed. This is also called “code is law”.

What is blockchain identity?

Blockchain identity is a term used for addresses on the blockchain, either existing or non existing(ones which can be created but is not part of any block so far). These addresses can have abstract transactions or contain smart contracts or their transactions. Any of these addresses can be blockchain identity.

What is blockchain workflow?

 Workflow is a sequence of logical events which create flow of desirable information and material. In blockchain, the value of the assets or messages or information is the material. You can host a workflow completely in one blockchain or over multiple blockchain in smaller parts or partially on one or more blockchains with  some parts on a server. 

In Solyd you can host all these types of identities and workflows with a click of the button.

You can do it yourself (DIY)

With enough training on smart contract and blockchain operation, one can deploy smart contracts for identity and workflow. 

Solyd Icon Blue

SOLYD Studio Suite

Deploying API security on Solyd cloud is easy, secure and very performant. Our stack runs across multiple optimized zones in multiple clouds for zero downtime and reliability. For a robust implementation, follow a four phase process over pilot scope and repeat according to your needs to expand your coverage.

  1. Diagnose: First of all you should qualify the scope for suitability for blockchain security. In this step, find and analyse the current state of the API gateways. Some sample questions are:
    • What is the API usage pattern?
    • What kind of vulnerabilities have been found?
    • What is the response time of fixing those vulnerabilities?
    • What are key concerns regarding vulnerabilities?
    • What is the current performance of your API gateway? What is the distribution of 2xx, 4xx, 5xx? What is the industry average? What is the customer feedback?
    • What collaborations and innovations have been achieved so far? What are the aspirational goals for next stage of micro-architecture journey?
    • What is working well in APIs?
    • What is not working well? What part of business suffered after API implementation?
    • What is the vision regarding micro-architecture? How does it align with organizational vision?
    • Leadership – What is the leadership metrics to communicate and delegate?
    • Impact – What outcomes are desirable and which are completely undesirable?
    • Focus – What should be the focus of blockchain security? What actions are needed from all stakeholders?
    • Example – What is the nearest analogical example to explain this change and new design?
  2. Design : In this phase, you should find champions to support this change or act as SME to consult on this change. The design phase should answer the following high level questions:
    • Identities – How do you want to identify your users. Based on this you can define one or more of identity smart contract.
    • Workflows – What kind of workflows do you want to offer for your users to consume or propagate your APIs outputs? Based on this you can build one or more of Hub smart contracts. But not only that. workflows can be partly offchain or distributed across multiple chains.
  3. Plan: Based on the above diagnosis and design, the next phase is to plan the actual implementation. Depending on the success matrix, you can chose to implement high impact low effort APIs first or easy ones first. Each has its own merit. Planning is also about quantifying the success. Remember that we plan based on success matrix of effort/impact or easy/impact. Therefore it imperative to include the measuring of success in planning. Depending on whichever method you chose to plan, you should also get historical trends or KPIs to quantify improvements of post-implementation impact.
  4. Implement: The actual implementation is about creating the API & hook endpoints, blockchain containers and workflows in Studio. Refer to the extensive documentation for all these. 

 

Tools to discover vulnerabilities in API gateways - Use sensibly

Caution: Organizations may have some open vulnerabilities in their IT ssysstems, but they also have loggers which track very access which multiple layers of your network stats. They will always catch you and come hard. Therefore, it is our wisest advice that if you find any open vulnerabilities in any company’s IT systems, you should report it to them through email or report it in their bounty program for a reward. Promote the good side of you and you shall be rewarded.

Ready to get started?

Get in touch, know how SOLYD can help your organisation grow