Category: Security

Application Security, Web Security, Data Security, Cloud Security

Posted on

Generative AI (GenAI): Security

Generative AI (GenAI): Security

Generative artificial intelligence (generative AI) is a new buzzword across the industries. Generative AI is an artificial intelligence technology that can produce various types of content, including text, imagery, audio, and synthetic data.

All organizations are investing large amounts of their budget in GenAI technology. Recently Amazon completed a $4 billion investment in generative AI development. As per a recent study barely scratching the Generative AI use case and opportunity.

Before implementing any Generative AI solution make sure you completely understand the organization’s business problem to implement Gen AI solution, because any generative AI solution takes a lot of money, time, and brain power.

Evolution of LLMs

Generative AI has just blown up within the last year or two years, but it has been around for decades. Generative AI is based on large language models (LLM).  LLM has been evolving for a while technically five to ten years approx. All companies (like AWS, Microsoft, and Open AI) are presenting their standard based on their business requirements. Here is the evolution story of LLMs & GenAI.

AI Attacks

There are four types of AI attacks.

  1. Poisoning – This AI attack can lead to the loss of reputation and capital. This is a classic example of thrill-seekers and hacktivists injecting malicious content which subsequently disrupts the retraining process.
  2. Inference – This AI attack can result in the leakage of sensitive information. This attack aims to probe the machine learning model with different input data and weigh the output.
  3. Evasion – This AI attack can harm physical safety. This type of attack is usually carried out by Hacktivists aiming to get the product of a competitive company down and has the potential to seriously harm the physical safety of people.
  4. Extraction – This AI attack can lead to insider threats or cybercriminals. Based on this the attacker can extract the original model and create a stolen model to find evasion cases and fool the original model.

Type of AI Malware

  • Black Mamba – Black Mamba utilizes a benign executable that reaches out to a high-reputation API (OpenAI) at runtime, so it can return synthesized, malicious code needed to steal an infected user’s keystrokes. It has the below properties.
    • ChatGPT Polymorphic Malware
    • Dynamically Generates Code
    • Unique Malware code
  • Deep Locker – The Deep Locker class of malware stands in stark contrast to existing evasion techniques used by malware seen in the wild. It hides its malicious payload in benign carrier applications, such as video conference software, to avoid detection by most antivirus and malware scanners. It has the below properties.
    • Targeted identification
    • Logic detonation Mechanism
    • Facial and voice recognition
  • MalGAN – Generative Adversarial Networks serve as the foundation of Malware GAN and are used to create synthetic malware samples. For Mal-GAN’s complex design to function, it is made up of three essential parts: the generator, substitute detector, and malware detection system based on machine learning. It has the below properties.
    • Generative Adversarial Malware
    • Bypass ML-based Detections
    • Feed-forward Neural Networks

AI Security Threats

  • Deepfake Attacks
  • Mapping and Stealing AI Models
  • Spear Phishing (Deep Phishing)
  • Advanced Persistent Threats (APTs)
  • DDoS and Scanning of the Internet.
  • Data poisoning AI Models
  • PassGAN and MalGAN
  • Auto Generation of Exploit code
  • Ransom Negotiation Automation
  • Social Engineering

AI Security Defense Strategy

As we learned in AI several AI malware and threats are impacting different parts of the AI ecosystem. Our AI must be smart enough that it detects its threats and mitigates risk. ML-based malware detectors detect risk and generate insights into its severity. Here are a few approaches should implement to protect your AI systems.

  • Intelligent Automation
    • Automated response and Mitigation
    • Indicators of Compromise (IOCs) extraction and correlation
    • Behavioral and anomaly detection
  • Precision Approach
    • High Accuracy and Precision
    • Identify, Understand, and Neutralize
    • Prioritize Risk
  • Define the Area for defense
    • Identify the most vulnerable area.
    • Apply a broad spectrum of defense.
    • System resiliency

AI involvement in security

  • Malware detection – AI systems help prevent phishing, malware, and other malicious activities, ensuring a high-security posture and analyzing any unusual behavior.
  • Breach risk prediction – Identify the most vulnerable system and protect against any data leak.
  • Prioritize critical defense – AI-powered risk analysis can produce incident summaries for high-fidelity alerts and automate incident responses, accelerating alert investigations.
  • Correlating attack patterns – AI models can help balance security with user experience by analyzing the risk of each login attempt and verifying users through behavioral data, simplifying access for verified users
  • Adaptive response – AI model automated response and generate an alert if the system identifies any threats. This creates the first layer of security defense.
  • Applied Machine learning – AI models are self-train. If models identify any new risk pattern apply new security models to all protected systems.
Posted on

Zero Trust API Security Architect

The cybersecurity threat landscape has changed dramatically in the last couple of years. Every day new kinds of threats are coming and impacting the organization’s business. Infosec/Security teams have always had challenges with this new threat to find the root cause and mitigate these risks.

To mitigate and overcome these constant/real-time threats and risks, the security fraternity introduces Zero Trust Architecture (ZTA) Or Zero Trust Strategy (ZTS).  ZTA is not a product or application, but it is a concept and practice to mitigate any risk for your organization.

What is ZTA/ZTS?

Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by continuously validating for security configuration and posture before being granted or keeping access to applications and data across users and their associated devices. All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.

Here are the basic properties for ZTA/ZTS

  • Default deny
  • Access by policy only
  • For data, workloads, users, devices
  • Least privilege access
  • Security monitoring
  • Risk-based verification

How API implement ZTA/ZTS?

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). In API security we establish certain rules and processes to mitigate security risks.  These rules and processes are around Zero trust architecture or strategy. Here are a few basic strategies in API security to implement ZTA.

  1. All API communications are secured regardless of network location – This risk can be mitigated by ensuring all communication happens over an encrypted communication channel (TLS) and implementing a proper Cross-Origin Resource Sharing (CORS) policy. The endpoint for API needs to be exposed through the HTTPS protocol.
  2. All API endpoints are authenticated regardless of their environments (Prod, QA, Dev) — By default, all APIs need to be authenticated and authorized using username/password, JSON Web Token (JWT), OAuth, OpenID Connect, or third-party services.
  3. All API resources are protected and restricted to all users by default — Running multiple versions of an API requires additional management resources from the API provider and expands the attack surface. As per ZTA, make sure all API versions and their resources are restricted if it is not used by the user. Always validate and properly sanitize data received from integrated APIs before using it.
  4. Access to API resources is determined by dynamic policy including the client identity, application/service, and the requesting asset – Any API requires resources such as network bandwidth, CPU, memory, and storage. It is easy to exploit these resources by simple API calls or multiple concurrent requests. According to Zero Trust Architect, all APIs must implement API policies like:
    • Client identity (ClientID/Client-Secret)
    • Execution timeouts (Rate limiting)
    • Maximum allowable memory
    • Maximum number of file descriptors
    • Maximum number of processes
    • Maximum upload file size
  5. Implement or configure API monitoring posture and API Alert system — API monitoring helps identify and resolve performance issues as well as security vulnerability issues before they negatively impact users, which can impact user experience. The alert system notifies the operation team to mitigate risk quickly.
  6. Continuous API security risk assessments – Continuous risk assessments help the Infosec/Security team identify any security risk gap. By conducting the security risk assessments, organizations establish a baseline of cybersecurity measurements, and such baselines could be referenced to or compared against future results to improve overall cyber posture and resiliency further and demonstrate progress. A Free Security assessments tool VAT is available to mitigate any security risk for your organization.

https://www.vanrish.com/secassessment/

Organizations that have adopted the Zero Trust API model, see trust as fundamental to creating a positive, low-friction work culture for their clients and empowering the organization at all levels. Many of our Vanrish Technology clients, we worked with have many of the technologies in place that can be leveraged toward full Zero Trust architect model adoption.

Posted on

What is Cybersecurity?

Everyday technological miracle is happening. New technologies are coming and impacting our lives and businesses.

The information technology (IT) trends of the past few years—the rise in cloud computing adoption, online banking, Online travel booking, driving connected car remote work & working from home, connecting with friends and family online, and connected devices and sensors in everything from doorbells to cars to assembly lines.

These conveniences could be a problem if you don’t have a well-protected system. Cyberattacks have the power to disrupt, damage, or destroy businesses and people’s lives. These cyber security risks can cause losses of billions of dollars to any organization. The average cost of a data breach in 2023 was USD 4.45 million, up 15 percent over the last years.

What is Cybersecurity?

Cybersecurity is the measure or practice for preventing cyberattacks and mitigating cyber risk by protecting internet-connected individuals’ and organizations’ systems such as hardware, software, and sensitive data.

Types of cybersecurity (cybersecurity domains)

Cybersecurity can be categorized into ten different types based on where it is impacting your systems.

  1. Application Security – Application security protects applications running on-premises and in the cloud, preventing unauthorized access to and use of applications and related data, and preventing flaws or vulnerabilities in application design that hackers can use to infiltrate the network. Modern application development methods
  2. Cloud Security – Cloud security secures an organization’s cloud-based services and assets—applications, data, storage, development tools, virtual servers, and cloud infrastructure. In most use cases, cloud security runs on the shared responsibility model. Cloud providers are responsible for securing the services they are providing, and the infrastructure they are delivering, while the customer’s responsibility is protecting their data, code, and other assets they store or run in the cloud.
  3. Data Security – Data security is the process of maintaining the confidentiality, integrity, and availability of digital information throughout its entire life cycle to protect it from corruption, theft, or unauthorized access.
  4. Identity and Access Control – Identity and Access control is a security technique that regulates who or what can view or use resources in a computing environment. There are two types of access control: physical and logical. Physical access control limits access to campuses, buildings, rooms, and physical IT assets. Logical access control limits connections to computer networks, system files, and data.
  5. Code Management – Code Management security comprises programming practices, techniques, and tools that ensure your code isn’t susceptible to security vulnerabilities. A hack or leak of source code can cause serious damage to a company on multiple fronts. It can harm the company’s reputation and lead to a loss of customer trust.
  6. Network Security – Network security is defined as the process of creating a strategic defensive approach that secures a company’s data and resources across its network. It prevents unauthorized access to network resources and detects and stops cyberattacks and network security breaches.
  7. Operations Security – Operations Security (OPSEC) is the process by which we protect critical information whether it is classified or unclassified that can be used against an organization. Things that fall under the OPSEC umbrella include monitoring behaviors and habits on social media sites as well as discouraging employees from sharing login credentials via email or text message.
  8. Physical and Environmental Security – Physical and environmental security refers to measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.
  9. Mobile Security – Mobile security, often referred to as wireless security, involves protecting both personal and business-related information stored on and transmitted from smartphones, tablets, laptops, wearables, and other portable devices.
  10. Third-Party Relationships – Third-Party Relationships security includes security from external entities may include service providers, vendors, supply-side partners, demand-side partners, alliances, consortiums, and investors, and may include both contractual and non-contractual parties.

Get your Free Security Assessments to mitigate your risks.

Posted on

Generative AI for Public Sector: An API Opportunity

The disruptive power of AI extends to every industry, opening up unlimited possibilities for new business opportunities. It turns imagination into reality, insights into action, and possibility into discovery. Generative AI is a type of AI that produces content such as text, audio, code, videos, images, or any other content based on prompts input by the user. Generative AI models use complex computing processes like deep learning to analyze patterns from large sets of historical data to create new business opportunities.

Generative AI is a one of the most promising technologies that can help the public sector to improve productivity and service quality. However, it is important to ensure that the technology is used responsibly and ethically.

Generative AI can enable the public sector to improve productivity and service quality. Generative AI has a wide range of applications in the public sector. It can be used to extract information and automate paper-based processing. It can also be used to automate repetitive and mundane tasks, enabling staff to take on higher value work, optimize resource allocation, and enhance decision making. It also uses to summarize large amounts of information from different sources, such as public health data and economic indicators, to identify patterns, trends, and correlations for Government to take decision in favor public.

Here are a few examples of tasks that Generative AI can perform in the public sector:

  • Providing support to clients such as chatting, responding, and delegating task to correct department.
  • Writing and editing documents and emails
  • Coding tasks, such as debugging and generating templates and common solutions.
  • Summarizing information.
  • Research, translation, and learning

To ensure the responsible use of GenAI tools and maintain public trust , the public sector should align with the “FASTER” principles:

  • Fair: Content should comply with human rights, accessibility, procedural and unbiased obligations
  • Accountable: Content generated by these tools should make sure it is factual, legal, ethical, and compliant with the legal terms of use.
  • Secure: In pub-sec security is paramount goal. Content generated by Generative AI should appropriate for the security classification of the information and privacy & personal information are protected. Compliance with PII data.
  • Transparent: In Government sector, it is very important that your all procedural is transparent, and users know that they are interacting with an AI tool.
  • Educated: It is very important to document the strengths, limitations, and responsible use of the Generative AI tools. It should also highlight; how to create effective prompts and to identify potential weaknesses in the outputs.
  • Relevant: Generative AI tools should support user and organizational needs, contributes to improved outcomes and become relevant to society and business.

Since Generative AI has a wide range of benefits in the public sector, there are also some challenges associated with its use.

Here are Some of these challenges:

  1. Ethical dilemmas: Generative AI can be used to create deepfakes by manipulating videos and images. That can be used to spread misinformation and create confusion among public.
  2. Dependency on technology: Generative AI is dependent on the latest technology and underline system. It is based on how secure your data technology and how your data is communicating with AI models.
  3. Equity and accessibility issues: Generative automated certain task that led some job displacement. Which lead to accessibility and equity concern.
  4. Staff resistance to change: If Pub-Sec staff perceive Generative AI as a threat to their job then they may be resistance to change into Generative AI process.
  5. Project delays and failures: Generative AI projects are complex and time consuming. This may be delay or failure of project implementation.
  6. Regulatory issues: In Public Sector, data are fragmented which raises compliance and regulatory issue. This may be concerns about data privacy, security, and ownership.
  7. Cybersecurity risks: AI in the public sector raises cybersecurity risks. This may be concern about hacking, data breaches and other cyber threats.

API is helping GenAI to import the AI model and enable data for Generative AI. We can mitigate some of these risks by implementing API based approach for Generative AI in public sector.

Here are the few challenges in pub-sec Generative AI which is mitigated by API implementation.

  • Security: According to recent finding Generative AI makes it easier for hacker to find and exploit vulnerabilities. If your Generative AI models are communicating with your organization data through API, it will mitigate vulnerabilities risk many folds. Government sector can implement strict control of their data in a number of ways like MFA or API access permission.
  • Data control: Through API implementation in Generative AI, pub-sec can eliminate any data leakage and data abuse. Through API governance they can monitor data usage by Generative AI models. Government sector can also implement API rate limiting or IP restriction for any API to get tighter control on their sensitive data.
  • Fairness and relevancy:  Accuracy of Generative AI model or LLM are based on independent and relevancy of data. Generative AI models in pub-sec only work when Generative AI model follows compliances and relevant to use-case. API implementation does make sure data is relevant and independent for LLM. API also restrict any unwanted data for AI models and reduce processing time to cleansing unwanted data.   
  • Data Separation: APIs keep data separated from Generative AI Models or LLM (Large Language Model) implementation. This enable LLM to work on different set of data at the same time and enable faster innovation within government sector.
  • Fast delivery: APIs enable faster delivery of generative AI models. During your development of LLM models you focus only on models not on data deliveries. This may enable two stream of development team. One team focus only on data delivery and second team can focus only on Large language models development. This may empower to team for faster project deliveries.

Public sector adoption on Generative AI is still in the early stages, but it needs to accelerate. This will enable faster public project deliveries and AI bot assistances.

Posted on

Why Airlines Need Digital Transformation

When the Wright brothers flew their first plane they never imagined that after 100 years this industry will be one of the biggest and most complex. Initially Airlines were a part of luxury transportation but nowadays it is a necessity for most. Every day thousands of airplanes are flying and millions of passengers are reaching their destination.

To streamline the whole process, all departments of airlines should work synchronously and efficiently. There are a lot of variables involved to execute one task efficiently with a very little margin for error. The airline industry is the best example of machines and humans working together in harmony, which allows tasks to be completed quickly and accurately without any errors. The Airline’s biggest challenge is finding ways to reduce costs while still providing quality service.

Airline industries need to put forward the best process in place in order to remain competitive and profitable. All processes, including, operational structure, route network, fleet size, and pricing strategy need to be digitized and transparent to compete against their competitors and continue to be cost-effective.

Successful Adoption of Digital Transformation is the key to success to Airlines business.

Digital transformation allows Airlines to enable data efficiently and securely. It also helps in reducing the cost of operation and increases the efficiency.

Here are few area where Digital Transformation is helping Airlines to work efficiently and cost-effective .

Market & Partner Data – The Covid pandemic was a big disruption for the Airline market. Tracking and monitoring real-time Covid data after the pandemic is very important in managing your operation efficiently. Airlines work with their partner to get Market Data, Events, Weather, Traveler In-Flux, Reviews, and External Traveler Information for their operation. Integration with partner data is very important to get contextual insights for airlines.

Travel  Data – To run the airline industry efficiently their passenger System of Record needs to integrate efficiently. Those system are not limited to  Passenger service system (PSS),Computer reservation system ( CRS), Global distribution system (GDS), Enterprise Resource Planning (ERP), Traveler Profile, Fare, Schedule, Availability, Preferences, Assets, and Distribution with Offers & Orders (NDC).

Intent & Sentiment Data – Social Media Platform is one of the invaluable tools for airlines to stay ahead of their competitors. By leveraging Sentiment & Intent Behavior analysis on social media platforms, airlines can better understand passenger preferences and tailor services accordingly. This helps the Airlines build customer loyalty and increase profits over time.

Customer & Services Data – Managing historical customer and service data help airlines to get their customer sentiment and preference. These data includes Demographic and Identity Data, Profile, Cases Contact Center History, and Service Interactions data. This data helps airlines to understand passenger preference and provide better service. 

Marketing & Loyalty – Digital Transformation combining predictive analytics and human-centric design to create a more personalized experience to drive growth in loyalty, satisfaction and incremental revenue. It also helps in marketing to track Campaign Metrics, Digital Footprint, Experiential Targeting, Audience Segmentation, Digital Marketplace. 

Devices & Location Data – Airlines operation depends on IoT Sensor Data, Telemetry, Mobile, Voice, Geolocation, Location-Based data. This Intelligence based data is revolutionizing procurement through real time decision making. Allow the operational team to know the exact location of goods at any given time.

These are the big impact of digital transformation in airlines industries

  • Quicker time to market
  • Smooth Transitioning
  • Enhanced Business Agility
  • Reduce cost
  • Innovate and drive operational excellence   
Posted on

Security for Critical Data

When organization is migrating to digital transformation, data security is a big concern. Digital transformation impacts every aspect of business operation and execution. The volume of data that any organization creates, manipulates, and stores digitally is growing, and that drives a greater need for data governance. Large volume of data security is the biggest challenge for any organization for their entire data lifecycle. 

Data security is a process to protect sensitive data from unauthorized access, corruption, or theft  during the entire data lifecycle.

Here are a few steps to mitigate data risk and implement data security.

  • Event Monitoring
  • Data Detection
  • Data Encryption
  • Data Audit Trail

Event Monitoring – This activity includes Prevention, mitigation, and monitoring threats to sensitive data.

  • Monitor user activity – Know who is accessing data from where with real-time event streaming and min 3-6 months of event history.
  • Prevent and mitigate threats – Define and  build Transaction Security policies using declarative conditions or code to prevent and mitigate threats.
  • Drive adoption and performance – Analyze user behavior to enable security training for organization and find security bottlenecks to improve user experience.
  • Event Log Files – Create event log file for rich visibility into your org for security, adoption and performance purposes

Data Detection –  Find and classify the sensitive data quickly and mitigate data risk. 

  • Monitor Data Classification Coverage – Determine which data in your organization have been categorized versus uncategorized. High sensitive data needs to be secure properly. Label data appropriately to manage data security.

Data Encryption – Encrypt sensitive data at rest while preserving business functionality.

  • Encrypt data and maintain functionality – Protect data and attachments while data search, lookups, transportation and storage.
  • Key Management – Data encryption key management is very important to secure organization data. It includes control and authorization of data encryption keys.
  • Policy Management – Data policy management is defining and managing rules or procedures for accessing data. It allows individuals to follow certain processes to access data during storing or transit.. 

Data Audit Trail – It allows strengthening data integrity for an extended period. This strengthening data integrity process enables compliance and gains insights.

  • Data History – Store data as long as you can use this historical data for audit Trail or delete if you do not need this data.
  • Data retention policy – Data retention policy defines what data or how long this historical data needs to be stored for audit. Based on sensitivity of data you can archive from 3-6 months or more.
  • Insight of data – Create insight and dashboard for data audit transparency. It allows any organization to track any compliance or data security issue.
Posted on

RPA, BOTS, AI and API

In today’s competitive markets, industries face many challenges in order to remain successful. These include staying ahead of the competition, understanding customers need and preferences, and providing a high level of service that will make customers happy.

Here are few challenges for current industries

  1. Resolve customer issues ASAP
  2. Collect and qualify customer information
  3. Easily connect to business process
  4. Enable business new features quickly.

In current business requirements 90% of organizations see increased demand for automation from business teams, due to that 95% of IT leaders are prioritizing automation. 

Automation is a critical component of digital transformation and business success. Robotic Process Automation (RPA) bots are at the forefront of this revolution, providing businesses with an automated solution to optimize their processes while improving customer experiences. RPA bots can be used in many areas such as data entry, document processing and workflow management; they automate repetitive tasks that would otherwise take up valuable resources from human employees. This automation not only increases efficiency but also reduces costs associated with manual labor, allowing companies to focus on more pressing issues like innovation or collaboration between departments. By utilizing intelligent bots powered by artificial intelligence (AI), companies can further streamline operations and provide customers with immediate feedback on requests or inquiries in real time without manual intervention from employees. Additionally, natural language processing (NLP) capabilities allow chatbots used in websites or apps to respond quickly and accurately when communicating with customers.

Using NLP, Bots can decipher specific sentences or words customers type and associate them to an intent. NLP provides insights by analyzing past chat transcripts to identify common customer utterances or phrases (such as order status, account information, password reset, logging an issue, etc.) that the Bot can use to take action. A predictive model for bots to understand intent and take action called intent model. The intent model is made up of intents and utterances.

APIs , NLP and AI are the essential components for Bots. Once an intent model from NLP identifies action then Bots call APIs. APIs help to execute tasks from the backend system for Bots. Suppose if users are looking for order status from bots and APIs are not responding on time it will fail the whole Bots purpose. So APIs are one of the key components for Bots.

APIs streamline Bots tasks and automated any process/tasks for any team. Bots and APIs empower business and IT teams to collaborate with ease and break silos in every step of their automation journey. Enable end-to-end automation at scale Reuse and compose RPA securely.

Posted on

API Security

API is a key component of digital transformation. API is the interface of your legacy and SAAS data. The goal of APIs is to facilitate the transfer and enablement  of data between your system and external users. APIs are typically available through public networks like the internet to communicate to external users and expose your data into the public domain.

Since your data is exposed into the public domain through APIs, It can lead to a data breach. APIs can be broken and expose sensitive personal as well as company data. An insecure API can be an easy target for hackers to gain access to your system and network. Rise of IOT devices and usage of APIs by these IOT devices, APIs are now more vulnerable. 

According to owasp, these are 10 main API vulnerabilities.

  1. Broken Object Level Authorization – Expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue.
  2. Broken User Authentication – Authentication mechanisms are implemented incorrectly.
  3. Excessive Data Exposure – Developers  expose all object properties without considering their individual sensitivity
  4. Lack of Resources & Rate Limiting – APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user, lead to Denial of Service (DoS) attack on APIs
  5. Broken Function Level Authorization Complex access control policies with different hierarchies lead to authorization flaws.
  6. Mass Assignment – Without proper properties filtering based on an allowlist, usually leads to Mass Assignment.
  7. Security Misconfiguration – Misconfiguration or lack of Security configuration  is commonly a result of insecure APIs
  8. SQL Injection SQL Injection occurs when untrusted data is sent to an interpreter as part of a command or query.
  9. Improper Assets Management – APIs tend to expose more endpoints than traditional web applications lead to improper expose APIs.
  10. Insufficient Logging & Monitoring – Insufficient logging and monitoring fail to find your vulnerability and broken integration.

How to mitigate API security risk?

  • API supports secure sockets layer (SSL), transport layer security (TLS), and Hypertext Transfer Protocol Secure (HTTPS) protocols, which provide security by encrypting data during the transfer process.
  • Apply Basic Auth minimum with API or  if you want to more secure your API then enable 2 way authentication through OAuth framework . 
  • Apply Authorization on each API resource to more control on API security through external Identity and access management provider (IAM).
  • Use encryption and signatures to all your API exposed personal and organizational sensitive data.
  • Apply API throttling through API manager to control number of user access per API (Rate Limiting).
  • Implement best practice of exception handling on your APIs to hide all your internal server and database information to mitigate SQL injection security risk.
  • Use Service Mesh to manage different layers of API management and control.
  • Audit your APIs and remove all unused API from your API catalog.
  • Add proper logging, Monitoring and Alerting on your APIs to keep track of your APIs activity.

Conclusion: APIs are a critical part of modern AI, mobile, SaaS, IOT and web applications. APIs Security should be the main focus on strategies and solutions to mitigate the unique vulnerabilities and security risks .

Posted on

APIs Integration with IOT and CRM improves Customer Service

APIs integration helping IOT and CRM to enable better customer experience

IOT (Internet of things) is revolutionizing our lives. As per Gartner report by 2025 IOT market will expand a 58-billion-dollar opportunity. It is affecting all parts of our life. In our pandemic era we found more use of IOT device to maintain social distancing.

IOT is also one of the main disruptive technologies in our businesses. It is affecting all business domain including healthcare, retail, automotive, security.

There are wide range of IOT benefits in business.

  • Enhanced productivity
  • Better customer experience
  • Cost-effectiveness

CRM system is keeping all your customer relationship like data, notes, metrics and more – in one place. CRM is helping small business to take off all burden from the IT management team by automating the business process. It is also helping employee to keep the focus on the critical business areas.

API is helping to integrate these two unrelated systems. APIs are enabling this system to optimize process and streamline whole business process. API is the main communication channel to build robust process and keeping real time update to these systems. APIs are allowing to build context-based application with IOT and CRM to interact with the physical world.

Now here are few areas where IOT is helping CRM system with help of APIs to optimize business process.

  1. Optimize customer service – Before your customer finds any error in your service/product you proactively acting on error and fixing those error. This will help to build relationship with customer.
  2. Increase sales – With help of IOT and CRM system you are finding untouched opportunity and using those opportunity to increase your sale.
  3. Personalize customer experience – You are analyzing data provided by IOT and CRM system and building user based predictive model to enable personalize experience to user.
  4. Customer retention – CRM provide customer data and relationship. IOT data providing customer behavior. This will help any business to personalize and target marketing for their customer.
  5. Omnichannel instore experience – IOT and CRM is helping business to enable 360 omnichannel customer experience. This process will help and suggest the products which the customer might purchase.

APIs  integration with IOT and CRM helping business to enable higher degree of personalization, target marketing, optimize price model, higher revenue and enhance customer satisfaction.

Posted on

Anypoint Platform: External (OKTA) Identity Management

Anypoint Platform acts as a client provider by default, but you can also configure external client providers to authorize client applications. As an API owner, you can apply an OAuth 2.0 policy to authorize client applications that try to access your API. You need an OAuth 2.0 provider to use an OAuth 2.0 policy. You can configure more than one client provider and associate the client providers with different environments. If you configure multiple client providers after you have already created environments, you can associate the new client providers with the environment. 

MuleSoft supports client management by identity providers that implement the OpenID Connect Dynamic Client Registration open standard. MuleSoft explicitly verifies support in Anypoint Platform for Salesforce, Okta, and OpenAM v14 Dynamic Client Registration. The following table contains examples of the URLs you need to supply, depending on your provider, during registration.

URL NameOkta Example URLOpenAM Example URLSalesforce Example URL
Base https://example.okta.com/oauth2/v1 https://example.com/openam/oauth2 https://example.salesforce.com/services/oauth2
Client Registration {BASE URL}/clients {BASE URL}/connect/register {BASE URL}/register
Authorize {BASE URL}/authorize {BASE URL}/authorize {BASE URL}/authorize
Token {BASE URL}/token {BASE URL}/access_token {BASE URL}/token
Token Introspection {BASE URL}/introspect {BASE URL}/introspect {BASE URL}/introspect
URL Name Okta Example URL OpenAM Example URL Salesforce Example URL

Steps to Create External Client Provider

  • Log in to Anypoint Platform using an account that has the organization administrator role.
  • In Anypoint Platform, click Access Management.
  • In the menu on the left, click Client Providers.

  • Click Add Client Provider, and then select OpenID Connect Dynamic Client Registration.
    The Add OIDC client provider page appears.
  • After obtaining values from your identity provider’s configuration, complete the following required fields in each section:
    • Dynamic Client Registration
      • Issuer: URL that the OpenID provider asserts is its trusted issuer.
      • Client Registration URL: The URL to dynamically register client applications as a client application for your identity provider.
      • Authorization Header
        • For Okta, this value is SSWS ${api_token}, where api_token is an API token created through Okta.
        • For ForgeRock, this value is Bearer ${api_token}, where api_token is an API token created through ForgeRock.
        • For Salesforce, this value is Bearer ${api_token}, where api_token is an API token created through Salesforce. In Advanced Settings you can also select:
      • Disable server certificate validation: Disables server certificate validation if your OpenID client management instance presents a self-signed certificate, or one signed by an internal certificate authority.
      • Enable client deletion in Anypoint Platform: Enables deletion of clients created with this integration.
      • Enable client deletion and updates in IdP: To use this option, you must also select the Enable client deletion in Anypoint Platform option.
    • Token Introspection Client
      • Client ID: The client ID for an existing client in your IdP capable of introspection of all tokens from all clients.
        • For Okta, this value should be a “Confidential” client.
        • For ForgeRock, this value should be a “Confidential” client.
        • For Salesforce, this value should be a “Confidential” client.
      • Client Secret: The client secret that corresponds to the client ID.
    • OpenID Connect Authorization URLs
      • Authorize URL: The URL where the user authenticates and grants OpenID Connect client applications access to the user’s identity.
      • Token URL: The URL that provides the user’s identity, encoded in a secure JSON Web Token.
      • Token Introspection URL: endpoint that returns metadata about the access token, including expiration and token active state.