Encrypting DataEncryption in transitEncryption at restAuthenticationAuthorizationSecure the networkAdditional Defensive Measures
Encrypting Data
Encryption in transit
- use standard algorithms
- Transport Layer Security (TLS) https
- SSL certificates
- Certificate management
Encryption at rest
- disk encryption
- key management
- encrypt backups
Authentication
- BASIC: username / password for client login, requires password storage
- API key: Key per client, key management
- Client certificate: Public key cryptography, complex management
- OAuth 2 & OpenID Connect
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2F0923a366-bb69-4245-954f-30ad6cbb7483%2F706333ac-7483-4970-b49e-95f53c42fb42%2FUntitled.png%3Fid%3D7b7c5db2-7afc-4bb7-b5a6-833ec1b817e3%26table%3Dblock%26spaceId%3D0923a366-bb69-4245-954f-30ad6cbb7483%26expirationTimestamp%3D1712232000000%26signature%3DIGJzYuc2Y9t2WRcXUqewj2mYNWqzrankdegKu5-BtsM?table=block&id=7b7c5db2-7afc-4bb7-b5a6-833ec1b817e3&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2F0923a366-bb69-4245-954f-30ad6cbb7483%2F90d761c0-5404-4714-a1d8-e8cfa1256cca%2FUntitled.png%3Fid%3D151e2399-8b2b-4350-aeaf-b3ef1f8cde70%26table%3Dblock%26spaceId%3D0923a366-bb69-4245-954f-30ad6cbb7483%26expirationTimestamp%3D1712232000000%26signature%3DyVdPLDeaQTw9lAOV94bv9UKezV_H95kMwo0CDxIfoM4?table=block&id=151e2399-8b2b-4350-aeaf-b3ef1f8cde70&cache=v2)
Authorization
- Make decisions based on Roles
- consider carefully what callers should be allowed to do
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2F0923a366-bb69-4245-954f-30ad6cbb7483%2F8c048e90-a3b7-4716-978b-a3c8cc947003%2FUntitled.png%3Fid%3D8afb474b-ed25-4c90-9866-7d45675dc3b1%26table%3Dblock%26spaceId%3D0923a366-bb69-4245-954f-30ad6cbb7483%26expirationTimestamp%3D1712232000000%26signature%3DiP5PmVrkRf_e3XRCDCInsQBKqRzcbmHmT95jCfUNe4w?table=block&id=8afb474b-ed25-4c90-9866-7d45675dc3b1&cache=v2)
Secure the network
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2F0923a366-bb69-4245-954f-30ad6cbb7483%2F73840cb9-e9d1-49eb-a7d5-26cd81599457%2FUntitled.png%3Fid%3D3cd1c092-6761-4cc0-bb11-eda364c6d8f4%26table%3Dblock%26spaceId%3D0923a366-bb69-4245-954f-30ad6cbb7483%26expirationTimestamp%3D1712232000000%26signature%3DQcwXM-6WYpFOlFeggXP2zMgvKRjpl5twRCvgglIYnYw?table=block&id=3cd1c092-6761-4cc0-bb11-eda364c6d8f4&cache=v2)
- virtual network
- IP whitelisting
- Firewalls
- API gateway
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2F0923a366-bb69-4245-954f-30ad6cbb7483%2F1b1b1a8d-8718-407f-8dd8-5eef3e128f8d%2FUntitled.png%3Fid%3D130555a5-b03a-4afe-8845-4c65676db634%26table%3Dblock%26spaceId%3D0923a366-bb69-4245-954f-30ad6cbb7483%26expirationTimestamp%3D1712232000000%26signature%3Dw5GEOKZS51Yat0ijCrp-W-VAoglDbKZEmYy5oO5n_04?table=block&id=130555a5-b03a-4afe-8845-4c65676db634&cache=v2)
Additional Defensive Measures
- Penetration testing: get help from the experts
- Automated security testing: prove your APIs reject unauthorized callers
- Attack detection: react quickly when you're under attack
- Auditing: know exactly who did what and when