REST API Authentication and Access Control

Understand Zero Trust and how to logically place authentication and access control for better security of REST APIs.

The zero trust model

The zero trust (ZT) model provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate decisions in information systems and services in the face of a network that could be compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise.

The seven tenets of zero trust

Zero trust provides a set of principles and concepts around moving the policy decision and enforcement points closer to the resource. The idea is to explicitly authenticate and authorize all subjects, assets, and workflows that make up the enterprise.

Below are the seven tenets of zero trust. Authentication and access control are some of the key tenets:

  1. All data sources and computing services are considered resources.

  2. All communication is secured regardless of network location.

  3. Access to individual enterprise resources is granted on a per-session basis.

  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset. It may include other behavioral and environmental attributes.

  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.

  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

Design IAM for diverse applications

IAM is identity and access management. There are two different approaches to application design, monolithic and microservices.

Monolithic architecture is built as one large system and is usually one codebase. Microservices architecture is built as a small independent module based on business functionality.

For any kind of application, it’s better to have one centralized approach to authentication. With modern technology, multi-factor authentication is needed given the possibility of security infringements. There are several factors that need to be considered during multi-factor authentication, but these are beyond the scope of this course.

Note: We do not authenticate for each REST endpoint. We only authenticate the architecture once, and. we’ll have to be re-authenticated based on timeout controls.

Now that we have understood where authentication should be, let’s move to access control.

Get hands-on with 1200+ tech skills courses.