The Cloud Security Alliance Summit brought together a panel of security experts on February 27 in San Francisco to examine the threats posed by API and cloud-based computing. But rather than providing guidance on how to mitigate security risks they focused instead on the uncertain nature of security in an environment that is increasingly dominated by applications that use APIs to transfer data across the cloud.
One of the key benefits of APIs is their anonymous nature. In fact, it is their anonymity that is helping drive their growth. But the ease and speed at which API-based applications can be created has encouraged independent developers to jump into the fray without having to pay significant attention to security.
While the wild west atmosphere may be seen as a threat to some, the biggest threat to personal Internet security is not APIs or small, independent developers but rather large companies “that collect massive amounts of data from people, including photos, documents, video, search and buying patterns,” panelist Bruce Schneier said.
Panelists pointed out the importance of the token-based authentication system, OAuth, in enabling personal users to authenticate with applications without rendering their credentials. Because OAuth limits access to only one application at a time with limitations of time and scope, it enables authors of applications to provide personalized services without having to independently manage security.
While OAuth may answer the security questions for individual use, as more businesses look to APIs to connect their applications across the cloud, it is only inevitable that legitimate security concerns related to enterprise applications will arise.