Application Programming Interfaces (APIs) can add tremendous capabilities, but they must also be secure and auditable. Since the primary usage of an API-based product will be through other software or systems, extra steps must be taken to ensure that proper security is maintained and that events can be reconstructed and audited in the case of a security breach. Modzy follows industry-standard best practices when it comes to authentication and authorization, and gives organizations complete insight into its usage.
What You Need To Know
Software that is built around APIs can take several approaches to authentication. Machines can use their own credentials to communicate with one other, humans can use their credentials to talk to the machines, or some combination of the two. The first method, which is often referred to as Service Accounts, is very useful because it allows systems to authenticate each other without requiring a user to supply credentials. The second, User Accounts, is a more granular approach, since these accounts map to individual people, but they require that every end-user system provide a way for the user to supply their credentials along with any request.
Using only Service Accounts has benefits and risks. The benefit is that sometimes there is no user involved directly, such as in the case of automated pipelines. The risk is that the audit log won’t contain any information about who made a malicious request. User Accounts, though sometimes tedious to use, set up, and maintain, can at least be traced back to a human being that can supply more information. Knowing when to use Service Accounts and when to require User Accounts can be crucial to achieving proper security with API-based applications.
Modzy was designed to allow each organization the power to choose the option that best suits its needs. All API access is controlled via API keys issued by an administrator. Every API key is mapped to a responsible user and users can have more than one API key to use as service accounts. The number of people issued API keys and how many API keys they are each issued is a decision left entirely to an administrator.
Every key has its own set of Role Based Access Controls (RBAC) that govern what that key is allowed to do. These are also centrally controlled by an administrator. Every action is logged automatically so that an auditor can always answer the question “Who Did What When”. Modzy includes a user interface to view some aspects of the audit data, but the real power comes in its audit APIs that allow access to the full trove of audit logs in external systems like Splunk.
What This Means for You
Modzy has a flexible and powerful scheme for doing API security and provides a complete audit log of all interactions with the product. Our approach to API key management and role-based access controls means that each organization can tailor the best setup for them. Because each action is logged and traceable back to a responsible user, it is possible to reconstruct an entire chain of events in case of a security incident. Through this approach, Modzy ensures organizations can leverage accountable and transparent artificial intelligence (AI).