Solved: Are APIs right interface for handling attachments?

Report Inappropriate Content · 03-04-2016 09:34 AM

Are APIs right interface for handling attachments from backend while the attachment contains sensitive information?

Report Inappropriate Content

In my opinion, APIs are one heck of a vehicle for you to meet security requirements of ease of accessibility to data. And hardening the security of your API should be a decision driven by the business and the IT organization. Therefore, it depends on the sensitivity of the data, the nature of the business, and industry regulations that you're dealing with. Encrypting data at rest and over the wire could be good enough for most industries. However, this level of security might not be though enough for specific applications. In this case, additional security such as file encryption might be required.

For APIs delivering attachments, in particular, I've implemented file encryption leveraging public and private keys with RSA and DSA algorithms implemented by PGP or AES. If you're interested in the how, here are some articles about techniques for file encryption compatible with Apigee Edge and Node.js:

http://lollyrock.com/articles/nodejs-encryption/

https://github.com/openpgpjs/openpgpjs

https://coolaj86.com/articles/asymmetric-public--private-key-encryption-in-node-js/

Hope it helps!

View solution in original post

kkleva

You can use APIs and Apigee Edge to send data from your apps to security hardened cloud or on-prem data storage solution. APIs are available to transfer large and small bits of files in single and multiple parts. Be sure your also doing some heavy encryption as @Diego Zuluaga notes as well.

One possible approach is to provide a facade that would offer a signed authorization url to the app developer when they need to move the goods. (for example, See: http://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html)

This ensures your sensitive data is sent directly from the client to the storage location and never passes through Edge. Also, it allows you to maintain your existing authorization and access controls you've become accustom to. Finally, if you're moving huge amounts of data its sure going to save lots of throughput on your MPs for dealing with other stuff.

View solution in original post

Report Inappropriate Content

In my opinion, APIs are one heck of a vehicle for you to meet security requirements of ease of accessibility to data. And hardening the security of your API should be a decision driven by the business and the IT organization. Therefore, it depends on the sensitivity of the data, the nature of the business, and industry regulations that you're dealing with. Encrypting data at rest and over the wire could be good enough for most industries. However, this level of security might not be though enough for specific applications. In this case, additional security such as file encryption might be required.

For APIs delivering attachments, in particular, I've implemented file encryption leveraging public and private keys with RSA and DSA algorithms implemented by PGP or AES. If you're interested in the how, here are some articles about techniques for file encryption compatible with Apigee Edge and Node.js:

http://lollyrock.com/articles/nodejs-encryption/

https://github.com/openpgpjs/openpgpjs

https://coolaj86.com/articles/asymmetric-public--private-key-encryption-in-node-js/

Hope it helps!

mytre4411

Thankyou @Diego Zuluaga .I will go through the links.

kkleva

You can use APIs and Apigee Edge to send data from your apps to security hardened cloud or on-prem data storage solution. APIs are available to transfer large and small bits of files in single and multiple parts. Be sure your also doing some heavy encryption as @Diego Zuluaga notes as well.

One possible approach is to provide a facade that would offer a signed authorization url to the app developer when they need to move the goods. (for example, See: http://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html)

This ensures your sensitive data is sent directly from the client to the storage location and never passes through Edge. Also, it allows you to maintain your existing authorization and access controls you've become accustom to. Finally, if you're moving huge amounts of data its sure going to save lots of throughput on your MPs for dealing with other stuff.