Show all

Securing API Integration for Government in the Public Cloud

More than 3.9 billion people are now staying home to prevent the spread of the COVID-19 virus. Social distancing and stay-home measures meant that most people are accessing services digitally. Be it e-commerce or government services, online services are experiencing an exponential increase in load.

Are government systems able to handle this increase in load? Should they increase the number of servers? If yes, how many? We are charting new territories and nobody knows how long this pandemic will last.

Government Systems on Public Cloud

The benefits of moving government systems to the public cloud has never been more evident. Instead of purchasing the maximum number of physical servers to cater to the maximum traffic volume, cloud computing enables systems to scale on-demand. And it can be done remotely without physically installing the servers in the data centres.

Together with the ease of data exchange and resource management on the cloud with Application Programming Interface (API), it is easy to see why more and more governments’ systems are moving to the public cloud. 

Securely Integrating Government Systems using APIs

APIs are customisable software interfaces that allow various software components to communicate. It brings a new level of connectivity and data sharing between government systems by overcoming the inherent incompatibilities created by differing software platforms, data structures and underlying technologies.

APIs improve connectivity, but if not managed well, it potentially poses several security threats such as sensitive data exposure, broken authentication and injection attacks. Given that government systems are access points to a wide range of national data, some of which is highly confidential and sensitive, these APIs have to be managed with care. 

API security will be one of the biggest challenges government systems will face in protecting their systems and this is why, beyond the usual authentication and authorisation, the Ecquaria Integration Centre (EIC) API Gateway has content inspection inbuilt as an enhanced security feature. It is analogous to inspecting the contents of a parcel before shipping to ensure the security of the contents.

What is Content Inspection?

Content inspection refers to the examination of the contents of a request by applying some configurable rules to determine whether a request is legitimate and should be accepted. This is to actively prevent misbehaving apps from sending invalid requests (e.g. with malicious intent to exploit) through the EIC API Gateway to the target endpoint.

Why is Content Inspection Important for Government Systems?

Government systems contain a full range of data – from data that can be readily consumed by the public to highly sensitive data. To protect the end systems from threats such as SQL Injection, XPath Injection and Denial of Service attacks, an API gateway should be deployed to inspect all API requests for valid contents that conform to the API specifications.

Content Inspection Capabilities in the EIC API Gateway

  1. Request Body Validation
    • Figure 1: JSON Schema validation applied to the request body

    • The EIC API Gateway verifies API requests against a specified JSON schema and checks that the data sent to the government system’s through an API is in the expected format before accepting the request. Requests that are not in the expected format will be rejected with the error code configured in the EIC Management Console, along with the detailed error message.

  2. Request Parameter Validation
    • Some API services accept parameters in the request headers or query string. EIC API Gateway allows these requests to be validated by defining the accepted header and query parameters by checking its name and value format.

    • Figure 2: Configuring validation schema for request header parameter and/or query string

  3. Resource (URL) Path Validation
  4. EIC API Gateway comes with the feature of whitelisting and blacklisting path, ensuring that only bona fide Resource (URL) Path will be accepted.

    Specially designed for the government, EIC API Gateway combines authentication, authorisation and content inspection to secure and validate requests at the gateway itself before dispatching to the backend services.

EIC is a government-compliant integration solution. Other than EIC API Gateway, it also includes EIC Identity Service provides fast and easy integration with government identity providers to safeguard government systems and data, ensuring that even as more systems go on the public cloud our digital infrastructure defence remains strong.

This is part 1 of the Government-Compliant Integration series. Stay tuned for more.