API Security

API Management

An Azure API Management is used to provide a central interface to create, provision and manage ICB IIoT platform APIs.

Azure API Management is a reliable, secure and scalable way to publish, consume and manage APIs running on Microsoft Azure platform. Azure API Management provides all essential tools required for an end-to-end management of APIs. It ensures optimal performance of the APIs, tracks and enforces usage, authentication, and more.

Figure 1: Azure API management

API Management provides the core competencies to ensure a successful API program through developer engagement, business insights, analytics, security, and protection. Azure API Management allows us to:

Subscriptions

All clients will require a valid subscription to access any of the products exposed by the Azure API Management.

Figure 2: Subscriptions

To consume the APIs a subscription key will need to be provided with every request. Each partner (i.e. independent software vendor working for the manufacturing enterprise) will have a separate subscription registration and will be given a unique key.

Response Headers

By using the provided outbound processing by Azure API Management all headers carrying sensitive information are stripped from the response before returning it to the clients.

Figure 3: Outbound strip headers policy

Rate Limit Policy (Throttling)

Depending on the consumption rate the IioT platform APIs may have a rate limit policy which prevents API usage spikes on a per subscription basis by limiting the call rate to a specified number per a specified time period. When this policy is triggered the consumers receive a “Too Many Requests” response status code.

API Authorization

As the IioT platform APIs provide access to protected resources, it is essential that unwarranted access to them is prevented using industry standard for authorization - OAuth 2.0 bearer access tokens.

Figure 4. OAuth 2.0

The addition of OAuth 2.0 to our security measurements doesn’t change anything for the end users (power companies) of the API Management. They would not be aware that internally there is an OAuth 2.0 authorization implemented. The required data for a successful authorization (client id, client secret and authorization endpoint) won’t be provided to them and we can guarantee that only requests originating from our API Management will be able to pass the authorization protocol.

Authorization Headers

All APIs require authentication details provided either as a Header, or as a Query parameter. The access to the API services is provided with a subscription-based model. This allows us to introduce an extra security level by using a dedicated access and tracking methodology for each subscription.

The user should be supplied with a Subscription Key by the Administrators of the APIs which should then be included in all requests to the APIs.

The subscription key can be provided by either of the following two methods: