A client of mine has a bunch of APIs in CloudHub that communicate with two APIs on premise in their runtime. The question I get asked, to which I don't really know the answer, is how to secure the communication between the APIs on CloudHub and on premise without using API Manager (since the client preferred not to pay for it) ? I thought of a middleware (middleware inception) that hashes the messages from one end to another, is this a viable idea? What could the best answer be?
Asked
Active
Viewed 154 times
1
-
What do you mean exactly by "securing"? Authentication, authorization, encryption, something else? Note that these are not MuleSoft's APIs. These are Mule applications owned by your customer that implement their APIs. It is not correct to say they are "mulesoft apis". Also, which applications initiate the requests? Apps in CloudHub to on prem apps, the on prem app to CloudHub apps or both ways? – aled May 18 '22 at 13:49
-
I mean not having anyone do a man in the middle attack ( so encryption basically ), because the communication between the apis on cloudhub and on premise is not secure at all ( not even client_id & secret). These mule applications both can send and receive data. – Zyoumir May 18 '22 at 14:00
-
But who makes the HTTP requests? Both? – aled May 18 '22 at 14:08
-
Mostly it's the Cloud based ones. – Zyoumir May 18 '22 at 14:47
-
Are you looking for any particular way to secure? Or are you just trying to figure out the best practices that you should follow? – Harshank Bansal May 18 '22 at 14:52
-
The problem is the project has many issues, the client doesn't want to pay for API manager that is built-in, so we're currently looking for another way to secure the requests. As mentioned above, is it possible to create another api that encrypts messages between these apis ? – Zyoumir May 18 '22 at 15:34
1 Answers
1
The server applications should implement some basic security best practices like authentication and encryption.
Having applications deployed in any cloud environment without security is a big security risk. I assume that there is a secure link between the CloudHub environment and their on premise environment, like a VPN, but even so this architecture would not probably pass a security audit.
They should implement authentication using HTTP Basic authentication or OAuth 2. These are the most common authentication schemas used for REST APIs. Note that credentials go in clear text so they should also implement encryption.
To encrypt the traffic the server applications should use TLS, ie HTTPS connections instead of plain HTTP.
Optionally you could also implement mutual TLS authentication, requiring the client to have a valid certificate that the HTTPS server validates.
Hashing message could be an additional level of security, but that implies changing the applications logic to implement some custom security. The effort should be better put into implementing standard security practices as mentioned. If after that you want to add it feel free to do so.
You have not shared details of the technology of the on prem applications. Mule applications can implement both the client and server side of any of these methods. Read the documentation for details:
aled
- 21,330
- 3
- 27
- 34
-
Thank you aled for being such a blessing and helping out! Thank you so much – Zyoumir May 19 '22 at 07:32