Azure API management is a way for organizations to create consistent and modern API gateways for existing backend services. It helps organizations to publish APIs to external, partner, and internal developers to unlock the full potential of their data and services.
It’s so valuable because organizations everywhere want to extend their operations as a digital platform and create new channels, find new customers, and improve engagement with existing ones. Azure API Management makes this possible and provides the tools necessary to ensure a successful API program with proper developer engagement, business insights, analytics, security, and protection.
As a result of this and the popularity of APIs, it is essential that organizations secure their API Management. The problem is, how do organizations know how to secure Azure API Management.
Here, Microsoft sets out a security baseline for API Management that applies the guidelines from Azure Security Benchmark version 1.0 to API Management. In this post, we’ll look at this baseline and its security recommendations in more detail.
Network Security
The recommendations on network security focus on specifying which network protocols, ports, and network-connected services are allowed or denied access to the API.
· Protecting resources within virtual networks. Azure API Management should be configured in an Azure virtual network so that it can access backend services within the network. In turn, the developer portal and API Management Gateway can be accessed either from an external network or within the virtual network.
· Monitoring and logging the configuration and traffic of virtual networks, subnets, and interfaces. Inbound and outbound traffic into the subnet where API management is deployed can be controlled using Network Security Groups (NSG). Developers can then enable NSG flow logs to monitor and log the traffic. As such, they’ll be able to see network activity and identify security threats.
· Protecting critical web applications. To protect critical applications, API Management should be configured within a virtual network in internal mode, and an Azure Application Gateway should be configured. By using this Gateway, developers can control access to critical web applications.
· Denying communications with known malicious IP addresses. API Management should be configured in internal mode, and an application Gateway should be configured. By using this Gateway, developers can prevent access to malicious IP addresses.
· Recording network packets. With an NSG, developers can record logs of network traffic and identify hotspots, traffic flow patterns, and can pinpoint network misconfigurations.
· Deploying network-based intrusion detection or intrusion prevention systems. An application Gateway provides protection in one of two modes. In detection mode, it monitors and logs all threats. In prevention mode, it blocks intrusions and attacks.
· Managing traffic to web applications. To control traffic flowing to web applications, developers can use API management with an application Gateway to manage web traffic and can even switch access to the public Internet on and off.
· Minimizing complexity and administrative overhead. By using Virtual Network Service Tags to define network access controls, developers can simplify the process of managing network security rules.
· Maintaining standard security configurations. It’s essential to define and implement standard security configurations for network settings related to the API Management deployment.
· Documenting traffic configuration rules. Tags should be used for Network Security Groups and other related to network security and traffic.
· Using automated tools to monitor network resource configurations. Developers should use Azure Activity Log to monitor resource configurations and detect changes. They can set up alerts that will trigger when changes take place.
Logging and Monitoring
The recommendations on logging and monitoring focus on all activities related to enabling, acquiring, and storing audit logs relating to API Management.
These recommendations include:
· Configuring central security log management. Developers should use Log Analytics to query and perform analytics, send logs to Azure storage, or for offline analysis.
· Enabling audit logging for Azure resources. Azure activity log diagnostic settings should be used for control plane audit logging. These activity logs should be sent to a Log Analytics workspace for analysis and reporting.
· Configuring security log storage retention. The retention period in the log analytics workspace should be set according to the organization’s compliance regulations.
· Monitoring and reviewing logs. Logs should be monitored continuously to gain an insight into the state and health of the APIs.
· Enabling alerts for anomalous activities. Metric alerts should be set up to show when something unexpected is happening with the API.
Identity and Access Control
The identity and access control recommendations focus on dealing with issues related to identity-based access control, administrative access, abnormal account behavior, and role-based access.
The recommendations to implement proper identity and access control include:
· Maintaining an inventory of administrative accounts. Azure Active Directory Powershell should be used to perform ad hoc queries to discover accounts in administrative groups.
· Changing default passwords where applicable. Although Azure Active Directory does not have the concept of default passwords, other third-party applications may. It’s necessary to change these passwords. Also, Azure API Management comes with a pair of generated keys. These keys should be changed.
· Using dedicated administrative accounts. Organizations should create standard operating procedures around the use of dedicated administrative accounts, and the number of these accounts should be monitored with Azure Security Center.
· Using Azure Active Directory single sign-on (SSO). API Management should be configured to use Azure Active Directory as an identity provider for authenticating users.
· Using multi-factor authentication. Azure Active Directory multifactor authentication should be enabled.
· Using dedicated machines for all administrative tasks. It’s important to use privileged access workstations (PAW) with multifactor authentication to log into and manage Azure resources.
· Logging and alerting on suspicious activities from administrative accounts. Azure Active Directory Privileged Identity Management should be used to generate logs and alerts on suspicious activities that occur in the environment.
· Managing Azure resources from only approved locations. Organizations should use Conditional Access Named Locations to allow access to the Azure portal only from specific locations.
· Using Azure Active Directory. Azure active directory should, where possible, be used as the central authentication and authorization system.
· Regularly reviewing and reconciling user access. It’s crucial to regularly review user access to ensure that unauthorized users do not access any resources. This can be done by using Azure Active Directory.
· Monitoring attempts to access the activated credentials. Azure Active Directory should be set up to create logs and send these logs to Log Analytics.
· Alerting on account sign-in the area of mediation. Risk detection features and Azure Active Directory Identity Protection should be used to detect suspicious actions.
Data Protection
The recommendations on data protection focus on issues relating to encryption, access control lists, identity-based access control, and logging.
These recommendations include:
· Maintaining an inventory of sensitive information by using tags.
· Isolating systems storing or processing sensitive information. It is important to implement separate subscriptions or groups for development, testing, and production.
· Encrypting all sensitive information. All the transfer of information should be encrypted with TLS.
· Using Azure RBAC. Role-based access control should be used to control access to Azure API Management.
· Logging and alerting on changes to critical Azure resources. Organizations should use Azure Monitor to log activity and create alerts when changes take place.
Inventory and Asset Management
The recommendations on Inventory and Asset Management focus on issues related to actively managing Azure resources so that access is only given to authorized resources and that unauthorized resources are removed.
These recommendations on Inventory and Asset Management include:
· Using an automated asset discovery solution. Azure Resource Graph should be used to discover and query all resources.
· Maintaining asset metadata. Tags should be used on resources to organize them logically.
· Deleting unauthorized resources. Organizations should use tagging, groups, and separate subscriptions to organize and track resources. To delete unauthorized resources from the subscription when necessary.
· Monitoring for unapproved Azure resources. Azure Policy should be used to put restrictions on the type of resources that can be created.
· Using only approved Azure services. Azure Policy should be used to specify the type of resources that can be created and which are allowed.
· Limiting users’ ability to interact with Azure Resource Manager. Organizations should configure Azure Conditional Access to limit users’ ability to interact with Azure Resource Manager.
Secure Configuration
The recommendations on secure configuration enable organizations to establish, implement, and actively manage the security configuration of Azure resources.
The recommendations to achieve this include:
· Establishing secure configurations for all Azure resources. Organizations should define and implement standard security configurations for their Azure API Management service using Azure Policy.
· Maintaining secure Azure resource configurations. Organizations should define and implement standard security configurations for their Azure API Management service using Azure Policy.
· Securely storing configuration of Azure resources. Azure DevOps or Azure Repos should be used to securely store and manage Azure API Management service configuration.
· Deploying configuration management tools for Azure resources. As above, organizations should define and implement standard security configurations for their Azure API Management service using Azure Policy.
· Implementing automated configuration monitoring for Azure Resources. Azure API Management DevOps Resource Kit should be used to perform configuration management.
· Managing identities securely and automatically. Organizations should use Managed Service Identity generated by the Azure Active Directory to allow the API management instance to easily and securely access other resources.
· Eliminating unintended credential exposure. Organizations should implement Credential Scanner to identify credentials within code and move these credentials the more secure locations.
Data Recovery
The recommendations on data recovery ensure that organizations’ system data, configurations, and secrets are automatically backed up regularly.
These recommendations include:
· Ensuring regular automated backups. By publishing and managing their APIs through Azure API Management, organizations take advantage of fault tolerance and infrastructure capabilities they otherwise have to implement manually.
· Performing complete system backups and backing up any customer-managed keys. The backup and restore operations provided by Azure API Management perform complete system backups and restores.
· Validating all backups. Organizations should validate backups by performing a test restore of the service.
· Ensuring protection of backups. Organizations should follow the necessary security recommendations to protect their backups.
Incident Response
The recommendations on incident response focus on developing and implementing an incident response infrastructure that allows organizations to quickly discover and attack and effectively contain the damage.
These recommendations on incident response include:
· Creating an incident response guide. Organizations should develop an incident response guide that defines all roles of personnel and the phases of incident management.
· Creating an incident scoring and prioritization procedure. Security organizations to prioritize which should be investigated first.
· Testing security response procedures. Organizations should conduct exercises to test their incident response capabilities regularly.
· Providing incident contact details and configuring alerts. This contact information will be used to contact the organization if their data has been accessed by an unauthorized party.
· Incorporating security alerts into the incident response system. Organizations should export their security Center alerts and recommendations to help identify risks to Azure resources. They should use Continuous Export, which allows alerts and recommendations to be exported manually or continuously.
· Automating the response to alerts. Organizations should use Workflow Automation to trigger responses to security alerts.
The Bottom Line
Azure API Management is an excellent service that allows organizations to create and manage their APIs. It should, however, be secured. Here, Microsoft sets the baseline of security needed to secure APIs when publishing them to external, partner, and internal developers.
Hopefully, this post helped illustrate the baseline security necessary and the recommendations to achieve it. For more information on Azure API Management or how to secure the service, visit our website and contact us for more details.