1

In our current project, IT rules prohibit anything that is not PROD to be publicly accessible from the Internet. Access to development and review environments must be severely restricted. That said, the project also includes mobile apps that are developed together with the cloud-hosted API layer.

In very general terms, what are the common approaches to securing DEV / REVIEW-stage APIs with mobile apps? We've come up with the following ideas:

  • IP whitelist on the in the ingress to the API (least secure, but easiest to use)
  • VPN gateway to the hosting environment, with corresponding DEV / test devices configuration
  • Mutual TLS authentication (most difficult to implement and operate)

There are multiple issues to address with each one of the approaches, but I'd like to understand the big picture before diving into any of that.

Thanks in advance!

Ilya Ayzenshtok
  • 143
  • 4
  • 1
    Here are some options to consider: 1) Review host-based intrusion detection systems (HIDS)- Firewall+IDS and separate DMZ of VMs with webservers with IDS agents installed 2) separate subnet ( Firewall with IDS ) and separate DMZ of VMs/webservers with IDS agents installed 3) Just in Time access (refer to the MS Azure cloud JIT) 4) SSH tunneling – LLub Feb 21 '19 at 10:02
  • 1
    See the post on SO for a good answer: https://stackoverflow.com/questions/54802376/secure-api-access-with-mobile-apps-in-restricted-environments – Ilya Ayzenshtok Feb 22 '19 at 12:54

0 Answers0