Cyber Defense eMagazine October Edition for 2021

What data security risks do communication APIs and CPaaS create?
The integration of CPaaS services and Application programming interfaces (APIs), often used by CPaaS
providers to deliver added value, can be infiltrated by sophisticated attackers to modify content during
transmission. Sometimes, open APIs leave data exposed, making them vulnerable to attacks such as
unwanted access to API infrastructure resulting in potential data leakage. A famous example of a data
leak was when Facebook's API got exploited, compromising users' information. Although most
enterprises won’t have the same level of open API access that caused the Facebook data breach – the
same principles apply.
With API abuse, a bad actor, having obtained stolen credentials, can, depending on the level of access,
manipulate a company’s budget, steal personal information, and even lock an enterprise out of its own
API and CPaaS systems. Similarly, unsecured code can jeopardize a business, leaving it susceptible to
further data security risk. Besides the loss of revenue and productivity often associated with data
breaches and network downtime, the erosion of customer trust is perhaps the most long-term
consequence of a data breach due to compromised APIs and CPaaS solutions.
Having secure communication, and by extension, a secure CPaaS provider is an essential business
requirement. Any organization that communicates with its customers, employees and suppliers and
collaborates with devices must prioritize the devolvement of a security strategy.
Selecting a safe and secure CPaaS Vendor
When selecting a CPaaS vendor, they must prove their commitment to security – it cannot be an
afterthought. Some initial checklist investigations include examining the vendor’s certifications and the
maturity of those certifications. Note, some vendors perform self-certification processes to fluff up their
resumes. By confirming the level of encryption that the CPaaS provider offers, companies can make a
more accurate judgment of the vendor’s security capabilities. Enterprises should also understand what
processes and tools CPaaS vendors use to keep communications safe. Likewise, it’s helpful to send a
thorough questionnaire to several vendors to rate their security prioritization. Having multiple choices,
complete with notes and ratings, will provide an organization’s IT team with a more holistic view of their
options.
Beyond these preliminary inquiries, other best security practices for selecting an apt CPaaS vendor
involve consistently calculating the risk verse benefit. Given that every company will at one point in time
experience an unexpected circumstance after implementation, it’s always suitable to complete a
risk/benefit assessment. After companies have selected a CPaaS vendor and the implementation
process is complete, organizations must focus their attention on endpoint management (laptops, mobile
phones, and PCs) as it is necessary to protect the cloud network and customer data. An ideal CPaaS
partner will have available teams ready to assist customers with issues or projects that might arise or
direct the client's attention to necessary system changes and patches. Such updates could include
replacing a cipher suite or an algorithm for a certain circuit; it is helpful for organizations themselves to
be up-to-date on CPaaS standards.
Cyber Defense eMagazine – October 2021 Edition 65
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.