How to Access Sensitive and Regulated Data Through Microservices and APIs

This article appeared recently in DZone. Written by Gerry Gebel the Vice president of Business Development at Axiomatics.

How to Access Sensitive and Regulated Data Through Microservices and APIs

We’re seeing more businesses utilize microservices, service meshes and APIs to break down large, static applications and merge legacy systems with modern IT platforms. These agile and flexible application structures have changed the way we exchange data and are typically the method of choice when sharing data with external parties.

A microservices architecture is  ideal for developing and updating mobile applications because it can simplify data sharing. In fact, according to recent research from Advanced Market Analytics “mobility and app proliferation is the primary factor augmenting the demand for API management” and they also point out “API security issues” as a potential constraint to growth. 

By leveraging APIs, application services are created as disparate components to instantaneously communicate with one another. This approach conforms better with the continuous development and deployment cycle businesses employ to update and deliver applications and other software at a rapid pace. However, APIs are typically the channel for accessing sensitive or regulated data and require additional security measures. 

Protecting Sensitive Information Requires a Multitude of Security Controls

Protecting a microservices and API architecture requires an API gateway to provide internal security capabilities. API gateways efficiently manage the authentication of the user and provide service orchestration capabilities. However, if sensitive data is also involved, additional fine-grained authorization capabilities may be required.

In scenarios where fine-grained access is a must, enterprises can adopt a comprehensive approach to access control. By combining OAuth 2.0 and Attribute Based Access Control (ABAC) models, organizations can protect sensitive data exposed through APIs, even under complex access control scenarios. 

Layering in OAuth 2.0 and Attribute Based Access Control

OAuth is a standard for token-based delegated access that is popular with application developers. OAuth 2.0 supplies the foundation to define and utilize tokens that exchange information like scopes and user information across security domains. 

Oftentimes, OAuth 2.0 is used to provide microservices and APIs with enhanced security measures. An API gateway provides internal security capabilities or integrates with an external identity provider to handle authentication, delegated access and other requirements. OAuth 2.0 then compliments the API gateway by providing mechanisms to validate identities, validate tokens and support other scenarios. 

OAuth 2.0 provides delegated consent authorization which allows a party that holds some authorization to assign a subset of those permissions to another party, without requiring either party to disclose its credentials to the other. The approach works well for simple use cases, but what about more complex situations? By combining OAuth 2.0 with Attribute Based Access Control (ABAC), enterprises can separate the concerns of API protection, authentication, authorization and delegation, to achieve the finer grained access that is necessary in more complex use cases.

With ABAC, organizations can incorporate additional inputs like risk score, device information, location and more to make an authorization decision before sending the results back to the API gateway for enforcement. Without ABAC, this logic must be coded into the APIs, which could cost developers a significant amount of time and resources when initially developing the application as well as for future maintenance. 

The unified approach enables companies to implement an end-to-end API security model. 

The framework protects the privacy of customers and employees, the most business-critical affairs and both sensitive and regulated data assets across the API channel. Businesses also realize a plethora of other benefits including:

• The proper management and governance of access scopes.
• Cleaner APIs that are no longer polluted with security logic.
• More agile development cycles when offloading security to an infrastructure service.

While API gateways can handle authentication and OAuth 2.0 can solve some access control challenges as applications and other services share information, not all requirements are met. When handling complex use case scenarios or dealing with sensitive and regulated data, it is critical to go beyond the convenience of OAuth 2.0 and complement it with an ABAC solution.