Is your data secure? That question haunts website owners today for a good reason. U.S. data breaches hit an all-time high in 2016 — up 40 percent from the year before.
API key security is critical when it comes to keeping your data safe. If you’re running WordPress or Drupal, your website uses APIs. That means you should be just as concerned about API key security as you are about password security.
Below we dive into why API key security is so important
KEY SECURITY ISN’T BUILT IN
Many developers try to treat API keys like they’re a security feature. What’s the problem with that line of thinking you ask? Well, they aren’t. API keys are a liability to the security of your site.
In fact, API keys were never intended to function as a sole security measure. They’re only supposed to prove a user or a device is authorized for access.
Let’s put this in context: Imagine a security badge with a magnetic strip that opens doors. An API key is like the magnetic strip. The door opening only proves that the owner of the badge has authority to access an area. No organization in the world would accept a door opening as proof that someone belongs there. That isn’t true security.
Of course, if the badge also has a photograph and name printed on it, then security can compare the photo and name on the card with the face and ID of the person. That is a security measure that reinforces their access.
So, for example, when Google, Amazon, SendGrid, Stripe or Twitter issues you an API key, they provide the magnetic strip. They expect you to take responsibility to ensure the name and photo match.
PREVENTING EMPLOYEE ERRORS
No matter how robust your culture of security is, people will make mistakes. They’ll open the wrong file or push a code revision with API keys to Github. Human error happens. Unfortunately, it accounted for 24% of data security issues in 2015.
Sometimes your regular employees aren’t the problem. Temporary employees often fill the gap during busy seasons, which gives full-time employees a chance for some time off to relieve pressure from an uptick in demand.
They also raise the odds of human error. Temporary staff rarely get the same level of security preparation.
That means they are much more likely to unintentionally reveal a password or email an API key to someone they shouldn’t. While some would argue for more robust security training, more robust key security is more practical and easier to implement and maintain in the long run.
PROTECTING SENSITIVE INFORMATION
There are few things more damaging to a company than letting customer or employee information fall into the hands of hackers. Sony learned that lesson to the tune of $15 million. Home Depot got hit even harder at $25 million.
Employees have to give you their information. Customers choose to trust you with it. In both cases, you take on responsibility for protecting that information.
Different APIs access different information, but some can access databases filled with customer or employee information. A poorly secured API key all but hands this information over to hackers. Even if the hackers offer to ransom the data back to you, there is no guarantee that they won’t just sell it anyway.
Failure to protect it can have serious, time-consuming consequences. Victims of identity theft report spending up to 130 hours and $1,200 in out-of-pocket expenses to repair the damage.
If customer information gets exposed on your watch, it opens you and your business to consumer lawsuit and FTC actions. It’s well worth the small amount of time and expense to deploy good API key security practices now.
PROTECTING YOUR RELATIONSHIP WITH API PROVIDERS
If you use another company’s API, your API key security can lead to problems.
The now legendary story of the $2,375 AWS bill racked up by Andrew Huffman stands as a case in point here. He exposed his API key and hackers used it to get server time for data mining. Amazon let him off the hook, but would have been well within its rights to demand payment.
API usage continues to increase as a critical element of the modern web. Development teams often break up projects and use internal APIs to get the parts talking. More and more large companies are making APIs available so users can perform analytics or access services.
As the API ecosystem matures, API providers will prove less tolerant of mistakes like Huffman’s.
Even more concerning is the possibility of one compromised API key leading to more compromised API keys. Let’s say that you’re making use of several external APIs, and one of your API keys gets compromised. A hacker uses it to access your website and databases. The hacker finds the API key for another API provider and compromises that site. You take the blame because the API key is assigned to you. Needless to say, you now have a big problem on your hands — and are probably wishing you’d taken more measures to keep those API keys safe.
PREPARING FOR THE INTERNET OF THINGS
Imagine a world where personal health monitors can signal home security systems to call ambulances. A world where your web-connected car can signal your thermostat to turn the heat up in your apartment. A medical system where the data from your heart monitor triggers the issuance of medication from a pharmacy.
That is the world of the Internet of Things (IoT). It’s on it’s way. And it will rely on APIs.
Mistakes with API keys can be disastrous for a company and its’ customers’ credit scores. So what will happen when people’s lives or the security of their homes depend on APIs?
The backlash that will occur the first time a person dies because a mishandled API key compromises a lifesaving service will likely include:
- Congressional committees on IoT technologies
- Lots of new regulations
It will be a bad time to discover you’ve got lousy API key security practices.
The time to develop good API and API key security practices is now. That way, when the IoT is everywhere, you aren’t behind the curve.
In fact, you probably already have APIs on your website. That means you’re already managing API keys. How’s your key security?
Are you storing them in plain text files? In your database? Trading them by email?
Let’s hope not. If you’re looking to up your security game, it’s time to put those keys somewhere safe.
Lockr securely hosts your API keys off site and offers seamless integration with most content management systems. To find out how Lockr can help you, contact us today.