Encrypting DataEncryption in transitEncryption at restAuthenticationAuthorizationSecure the networkAdditional Defensive Measures
Encrypting Data
Encryption in transit
- use standard algorithms
- Transport Layer Security (TLS) https
- SSL certificates
- Certificate management
Encryption at rest
- disk encryption
- key management
- encrypt backups
Authentication
- BASIC: username / password for client login, requires password storage
- API key: Key per client, key management
- Client certificate: Public key cryptography, complex management
- OAuth 2 & OpenID Connect
Authorization
- Make decisions based on Roles
- consider carefully what callers should be allowed to do
Secure the network
- virtual network
- IP whitelisting
- Firewalls
- API gateway
Additional Defensive Measures
- Penetration testing: get help from the experts
- Automated security testing: prove your APIs reject unauthorized callers
- Attack detection: react quickly when you're under attack
- Auditing: know exactly who did what and when