Standard for API Security

This document establishes the requirements for Application Programming Interface (API) Security, assuring connection of services and transference of data within Tower Federal Credit Union remains absolute and confidential.

1. Robust Authentication & Authorization⁹: Token-Based Authentication OAuth 2.0 must be applied along with Multi-Factor Authentication (MFA). Least privilege and a periodic review/update of access controls that clearly document authentication/authorization requirements for vendors must be in place to sustain a secure and controlled infrastructure.
2. API Gateway: API gateway will be used to simplify the API infrastructure implementing a centralized entry point and enhancing security. A failover and circuit breaker must be applied to redirect traffic and properly handle service failures in such circumstances. The API gateway is complementary to OAuth 2.0 acting as a Security Token Service (STS).
3. Data Encryption¹⁰: To encrypt data at rest, the use of a U.S. Government-endorsed cryptographic algorithm is required. To encrypt data in transit the latest version of Transport Layer Security (TLS) will be enforced.
4. Throttling/Rate Limiting: To prevent clients from making too many requests and thwarting API misuse at the client/server level, Throttling and Rate Limiting must be employed to protect against brute force and denial of service attacks whilst improving user experience.
5. Vulnerability & Remediation Handling¹¹: Regularly test and monitor API’s security by performing vulnerability assessments, penetration tests, and keeping software up to date to address emerging threats.
6. Logging and Auditing¹²: Utilize a structured logging approach that records relevant data in a standardized format including both successful and failed transactions. Utilizing Security Incident Event Management (Splunk) to aggregate logs from multiple API instances to aid monitoring and analysis. Avoid logging sensitive user data (if infeasible, encrypt sensitive information in logs).
7. Incident Response¹³: Incident Response necessitates and mandates proper documentation, contact information, effective detective/identification tools, containment/mitigation schemes, eradication and recovery processes, communication arrangements, and legal compliance. The Incident Response plan should be updated frequently to effectively respond to security incidents affecting API.