Friday, 14 March 2014

API Security - A blessing and a curse

One of the key parts of corporation recruitment is background checking your members.  A lot of people ask for API keys to vet their members, and it's most commonly thought about as the number one thing to do when recruiting.  I disagree.  API checking is BAD!

What is API checking?
API checking is the act of taking a new recruits API key, running through their information and working out if they are likely to be a spy.  It often goes hand in hand with an interview type process so questions can be raised about portions of the provided data to clarify if they are something to worry about.

API checking is good for catching obvious spies and awoxers, but you will never prevent all spies and you will never stop every awox. If someone with experience in intel wants to get a spy or an awoxer in, they will, and there's nothing you can do to stop them.  A lot of people like to encourage API checking and point out all of the positives, but they overlook a problem that API checking introduces.  The false sense of security.

False sense of security
Checking API keys provides a leader a sense of security, a sense that they have done their background checks so they feel more secure. But spies can still infiltrate a corp, awoxers can still get int too, all it takes is a clean enough account to pass the target corporation's level of scrutiny.

Since awoxers and spies will get in anyway, the corporation is in fact no more secure than it was before.  Any one or more of the members could be in the corporation for illegitimate purposes.  But that sense of security provided by the API checking will often make CEOs more comfortable, and make further security measures more relaxed.  People are more comfortable granting access to roles and titles with API checking having been done, even though the member could still be a spy.

From experience, corporations that have API checks in place are on the whole harder to get into (though not substantially harder, only a minor inconvenience), but considerably easier to maneuver into a good position once on the inside.  Corporations that have no API security tend to be incredibly tight on role security, making it more difficult for a spy to get into a position where they can cause any real damage.

The solution
The solution is pretty straightforward: Assume all of your members are spies.  If you simply assume your members are all in the corporation as spies and awoxers, you'll put more effort into ensuring they can't do anything bad.  You won't hand out roles so swiftly, and you'll ensure secure information is kept restricted to only the people who need it.

You can still use API keys to vet your members, but don't let yourself fall into a false sense of security.  If people want to move up the ranks you'll need to vet them, and API keys should be used but again, that should never be evidence that they are fine to hand masses of roles to.  Take API verification with a pinch of salt. Never let the rest of your security lapse.