Robert Kneschke - Fotolia
What are the security threats when working with CPaaS vendors?
Four security vulnerabilities should be top of mind as you move into real-time communication with APIs. Expert Tsahi Levent-Levi explains how to approach real-time communication security.
Real-time communication via APIs and communications platform as a service, or CPaaS, is generally more secure than using on-premises services or developing on your own. One reason is because CPaaS vendors have economies of scale. The other reason is because APIs and CPaaS offerings are frequently updated, so known vulnerabilities are quickly and efficiently patched. However, four areas are vulnerable when using real-time communication with APIs and CPaaS.
1. Exposing credentials
Accessing CPaaS vendor APIs requires the use of credentials, which need to be handled with care. Placing credentials such as API keys in the version-control repositories -- whether internal or external -- is a type of vulnerability, as you can't know who has access to them and where you'll be sharing the code.
Exposed credentials allow nefarious entities to access to your infrastructure, which can lead to API abuse and data leaks in your communication service.
2. API abuse
A third party that has access to your account's credentials can make free use of your account, eating up your budget and resources through the CPaaS platform for their own needs. Depending on the type of credentials that were stolen, you risk being blocked from your own account.
When using APIs from CPaaS vendors, you should make use of any access-control capabilities to limit user access based on need and curb the scope of a potential breach.
3. Forgetting to secure your own code
The fact that you are developing with a third-party CPaaS vendor doesn't absolve you from taking care of security vulnerabilities on your end. Your application needs to be written like any other cloud application, with the understanding that every component needs to be independently secured. The messages that are sent between your application and the CPaaS vendor's API should also be sent in a secure fashion.
4. Trusting the wrong vendor
CPaaS vendors differ from each other in many ways, including how they've built their services and how they maintain and operate them on a day-to-day basis. The moment you use a real-time communication API hosted by a third party, you trust that third party to protect your application from security vulnerabilities and threats. Make sure the vendor you select is aligned with your security requirements.
Do you have a question for Tsahi Levent-Levi or any other experts? Ask your enterprise-specific questions today! (All questions are treated anonymously.)