Some business software belongs together. For example, it makes sense to integrate your HR system with your payroll system. But depending on how you go about this, your HR system integration could be setting you up for a personal data breach.
Today, we’re talking about the risks you should look out for when using an API to integrate your HR system with other software solutions, so that you can avoid putting sensitive employee data at risk.
What is an integration, and what is an API?
Integrating two systems lets them work together from the same database, to save you having to input the same data twice. For example, you might integrate a Customer Management System like Salesforce, with a Marketing Automation Platform like Mailchimp, to send monthly newsletters to your customers – without having to copy and paste their names and email addresses from one system to the other.
Many business systems already have integrations built into their interface, meaning they can already share data with other platforms, straight out of the box. Some systems provide users with an API, allowing them to build their own custom integrations with other systems.
API stands for Application Programming Interface, and is essentially a recipe book of protocols. Developers use the instructions within the API to connect two pieces of software together. A good API provides all the building blocks that a programmer needs to put the integration together.
API keys are ‘the keys to the cloud kingdom’
Because an API key has the power to potentially access all of your private, sensitive data, it is vitally important that you keep it protected.
“API keys essentially represent the ‘keys to the cloud kingdom’” explains Chris Smith, Sr. Manager at CyberArk, a leading international cybersecurity provider. “But despite this far-reaching power, these keys are often relatively unprotected. Securing API keys is critical for HR departments, as the information stored in HR systems is often sensitive employee data – such as financial and payroll information, home addresses and more.”
I asked Chris how organisations can protect their API key against abuse, and he told me that there are four steps every organisation should follow.
Four steps to securing your API key
Cybersecurity expert Chris Smith gave me a list of four steps that organisations should follow to ensure their API keys are secure:
- Discover and enumerate all keys. There are discovery tools you can use to scan cloud environments, and pinpoint where API keys and other secrets exist.
- Remove embedded API keys. If you’re embedding API keys within scripts, applications or automation tools, where the source code can be seen by other people, then they could potentially use this information to access private data.
- Secure API keys in a centralised vault. Only give authorised users or applications access to the vault where your API keys are stored.
- Automate the rotation and secure use of credentials. This helps protect against your API keys in the event that credentials are compromised.
So what if a hacker still somehow gains access to your API key, despite the above steps? There is still more you can do, to help render the API useless even if it does fall into the wrong hands.
Restrict API keys by IP as an extra security precaution
Regardless of how firmly you protect your keys, it pays to put ‘what if’ measures in place, just in case. Imagine somebody at the other side of the country, with access to one of your API keys – they could potentially exploit your HR system integration to siphon sensitive data for their own use.
“By restricting API keys by specific IP addresses” says Chris, “organisations can reduce the impact of a compromised API key, stopping an attacker from moving laterally through the network and compromising more systems.”
By dedicating authorised IP addresses that an API key can actually use, you are adding one more obstacle for a would-be attacker. They need to not only gain access to your API key, but they must be working from a specific IP address in order to actually use it.
API data minimisation for GDPR compliance
Some APIs are too broad in the types of data they let you share. Ideally, you want an API that lets you pinpoint the precise pieces of data you need to share between systems.
“The API you are using should let you get as granular as possible, to avoid over-sharing data that you don’t need to use” explains Sukhjinder Singh, CTO and Data Protection Officer at People HR. “For example, if you want to share holiday data from an employee’s record, then you want the API to let you ask only for their name and holiday information. If the API only lets you ask for everything on the employee record, you’re needlessly pulling sensitive information such as their address, possibly their bank details, and more. Ensuring the API key pulls only the specific data you need helps you to satisfy the purpose limitation and data minimisation principles of GDPR.”
CAPTION: People HR lets you generate API keys that pull very specific types of data from your HR system.
What to look for in a good API
If you’re planning on building an HR system integration yourself, then choosing HR software with a secure API will be high on your list of priorities. I spoke to tech expert Jack Bedell-Pearce, Managing Director of 4D Data Centres, who gave me a list of recommendations to help you with your search:
- Hide implementation details. No detail about how the API works or is implemented should be disclosed to the end user.
- SSL communication with trusted RSA 2048 bit Certificate. Communication should always take place over an encrypted secure channel between endpoints.
- Hashed passwords. Passwords should only ever be sent as SHA-256 hashed strings and never plain text.
- Auditing and logging. Ensure use of all functions, authentication attempts and API methods are logged in a systematic and independent manner, with secure access to logs to protect against injection attacks and unauthorised users.
- Quotas and throttling. The API should have daily limits on total requests, and maximum requests per second limits.
- Network security. Firewall should allow only the required HTTP methods and TCP ports.
This is not an exhaustive list. But it should help you or your technical team work with your preferred vendor to identify if their API is ticking the right boxes.
People HR has a secure, easy to use API, which you can even use in a safe, sandboxed test environment via our full Developer Utility. Explore the People HR API here.