Enable Secure API Access with Raidiam

Sharing API keys is no longer secure for exchanging sensitive data with other organisations. Today, organisations utilize OAuth authorization servers to protect APIs on their gateways, employing OAuth and OpenID Connect (OIDC) protocols for client authentication and access token issuance.

However, merely placing an authorization server in front of a gateway isn’t sufficient for trust. How can organisations ensure that only accredited entities access valuable data in a network of internal business units, partners, and customers?

This is where Raidiam comes in, providing a Trust Framework that enables secure data sharing among accredited participants in complex ecosystems.

The Challenge: Enabling Secure API Access

Enterprise-level organisations, often shaped by acquisitions and non-organic growth, face fragmentation across multiple business units and entities. Furthermore, partners and customers seek to integrate with the organisation’s APIs, adding to the complexity. This fragmentation leads to duplicated application identities, complicating access management. To address these challenges, organisations aim to unify API access, enhance service quality, and improve governance by establishing trust between all participants.

The Solution: Enable Secure API Access with Raidiam Trust Framework

The Raidiam SaaS Platform empowers organizations to establish, secure, and manage their own data-sharing ecosystems or federations. By building Trust Frameworks, it ensures that all participants can trust one another and share data securely.

Raidiam's Trust Framework is a set of standards, protocols, and components designed to establish trust and facilitate secure data sharing between organizations. It offers a robust framework for authentication, authorization, and encryption, safeguarding data integrity and confidentiality throughout the sharing process.

Enterprise-level Organisations can benefit greatly by using Raidiam's:

• Centralized Directory as a B2B Identity Provider for Organisations and Their Technical Resources

• Public Key Infrastructure with Certificate Authority and Key Stores

B2B Identity Provider for Organisations and Their Technical Resources

Raidiam's Built-in Centralized Directory acts as a B2B Identity Provider for Organisations. Onboard an Organisation only once and enable it to discover other organisations, their applications, APIs, and authorisation servers -- making it much quicker for any participant to integrate with others.

Enable Organisations to register their Applications. These apps can be then registered at different Authorisation Servers using OAuth Dynamic Client Registration or automatically registered by the server in an OpenID Federation for API access.

Delegate Organisation Administration to employees of a particular business entity, partner, or the customer, reducing the administrative overhead on your side. What if organisations need to be able to communicate with each other? No worries - you can add designated organisation contacts, too.

Public Key Infrastructure with Certificate Authority and Key Stores

What's the point in having multiple Authorization Servers if there is no common entity your applications and servers can trust? Using Raidiam's Public Key Infrastructure, enable your, partners', or customers' applications to:

• Create, manage, distribute, use, store, and revoke digital certificates for secure channel connection with mTLS, and using mTLS-based Client Authentication methods.

• Ensure data's security and integrity by using public and private key pairs for signing and encryption of messages sent between the server and applications.

Certificates for mTLS, tls_client_auth, and Bound Tokens

Raidiam’s Certificate Authority (CA) issues the certificates the participants can use to:

• Establish secure communication via mTLS, where both the server and client application exchange certificates issued by Raidiam’s trusted CA.

  Mutual TLS (mTLS) ensures that both parties in a communication channel (the server and the client) authenticate each other by verifying their respective certificates.

  Create a bidirectional layer of trust, preventing unauthorized access from either side. By using certificates issued by Raidiam’s CA, organizations ensure that both the server and the client come from a trusted source. This setup eliminates the risk of rogue clients or servers participating in the data exchange.

• Authenticate client applications using OAuth mTLS Client Authentication.

  By moving away from less secure mechanisms like API keys and instead binding access to certificates, Raidiam ensures a higher degree of security. Each certificate represents a trusted party, reducing the risk of unauthorized access and making client authentication more reliable.

• Bind access tokens to the mTLS communication channel using OAuth Certificate Bound Access Tokens.

  Authorization servers can issue tokens that are tied to specific certificates, ensuring that only the party possessing the correct certificate can use the token.

  This approach mitigates the risks associated with token theft or replay attacks. Even if a token is intercepted or stolen, it cannot be used by an attacker unless they also have the corresponding certificate.

This approach creates a unified trust model where all participants trust the same Certificate Authority. By leveraging certificates and mTLS, organizations ensure secure API access, allowing only trusted entities to share data.

Public and Private Key Pairs for Signing and Encryption

Generate public and private key pairs that you can use for:

• Signed Messages

  Applications requesting data can use their private key to sign messages, creating a JWT (RFC 7519). This signature ensures the message's authenticity and integrity, verifying that it comes from a known source and hasn't been altered. It also provides non-repudiation: the sender cannot deny having sent the signed message.

• Encrypted Messages

  For secure data exchange, applications can encrypt messages using the recipient's public key, generating a JWE (RFC 7516). Only the recipient’s private key can decrypt the data, ensuring confidentiality. If intercepted or tampered with, the encrypted message will remain unreadable and invalid.

• Server-Client Communication with mTLS Certificates

  Certificates aren't keys themselves but contain the subject's public key, signed by a Certificate Authority (CA) using the CA's private key. The public key in the certificate enables secure communication, allowing clients to encrypt messages that only the server can decrypt, or to verify messages signed by the server.

  When a server presents its certificate, the client uses the CA's public key (which it trusts) to verify the certificate’s authenticity, ensuring the server's identity and the integrity of the certificate.

Leverage a public key store to allow other organizations to easily retrieve your public keys for signature verification or message decryption. Simplify compliance with Financial Grade API (FAPI) requirements for message signing and encryption.

Conclusion

API security requires more than just authorization servers and OAuth tokens. To ensure secure data exchange across a network of trusted participants, organizations need a framework that simplifies the onboarding of participants, and enforces mutual trust.

Raidiam’s Trust Framework provides exactly that by enabling the use of mTLS, certificate-bound tokens, and a unified Certificate Authority that all participants rely on.

With Raidiam, organizations can secure API access using cryptographic certificates and keys, ensuring that only authenticated and trusted entities can communicate. This approach strengthens the security posture and meets stringent requirements like those defined by FAPI.