商户密钥和api密钥_API密钥在云中的重要性

商户密钥和api密钥

Similar to the SSL keys, API keys too are being considered to be an important factors for strengthening security in Cloud Hosting environment.

与SSL密钥相似，API密钥也被视为增强Cloud Hosting环境中安全性的重要因素。

There have been a lot of concerns and disagreements about the data Security in Cloud. Hence there are many new advancements that are happening with an interest of improving the data security in Cloud. Many enterprises have started to make use of some form of API keys for accessing the cloud services. Therefore, protecting the API keys has become crucial as well. The information described in this article, would help understand the issues that comes without an invitation when protecting API keys, and offer few solutions to these concerns.

对云中的数据安全性存在很多担忧和分歧。 因此，为了改善Cloud中的数据安全性，正在发生许多新进展。 许多企业已开始使用某种形式的API密钥来访问云服务。 因此，保护​​API密钥也变得至关重要。 本文中描述的信息将帮助您理解保护API密钥时不需邀请的问题，并针对这些问题提供很少的解决方案。

The crucially important API Keys would be realized in the near future and enterprises would be able to better understand the necessity of protecting these keys. These keys FYI. would offer a direct access to your cloud hence the data stored in it. Incase an enterprise, firm or the company tends to overlook severity of managing the API’s, then it goes unsaid that they are inviting risks ie. (a) Users who are not authorized to access confidential information and (b) The increasing amount of credit card bills just because some unauthorized individual has got an access and the Cloud’s pay-per-use tracker is monitoring the resource consumption in your Public or Shared cloud.

至关重要的API密钥将在不久的将来实现，企业将能够更好地了解保护这些密钥的必要性。 这些键仅供参考。 可以直接访问您的云，因此可以存储其中的数据。 如果一个企业，公司或公司倾向于忽视管理API的严重性，那么就不用说它们正在招致风险。 (a)未经授权访问机密信息的用户，以及(b)信用卡账单数量的增加，仅仅是因为某些未经授权的个人可以访问，并且Cloud的按使用情况付费跟踪器正在监视您的Public或共享云 。

This is similar to having a credit card of yours without your knowledge or consent and making purchase.

这类似于在您不知情或未同意的情况下拥有您的信用卡并进行购买。

Most of the Cloud hosting services are being accessed via. a traditional web interfaces. While some others use a REST Web Services, which are also known as API’s. There is a similarity in the concepts that exists in the much heavier C++ or Visual Basis APIs of the past. But are bit more simpler and can be influenced via. Web page or even through a cell phone. Hence it can be noticed universally. To cut it short, the API Keys are brought to use for the purpose of accessing the Cloud services. Today with the increasing number of organisations using Cloud, more-and-more of them are getting connected to the cloud services through their own premises, further without their knowledge they are also getting connected to some other cloud of some other company. Therefore, it becomes even necessary that the connections are established securely.

大多数的云托管服务都可以通过访问。 传统的Web界面。 有些则使用REST Web服务，也称为API。 过去使用的较重的C ++或Visual Basis API中存在的概念存在相似之处。 但是更简单一些，可以通过它来影响。 网页甚至通过手机。 因此，它可以被普遍注意到。 简而言之，为了访问云服务而使用了API密钥。 如今，随着越来越多的组织使用云计算，越来越多的组织通过自己的场所连接到云服务，而且在不知情的情况下，他们也正在连接到其他公司的其他云。 因此，甚至必须安全地建立连接。

Consider an example where a company is using a SaaS for the purpose of offering its employees an access to Gmail, then they’d generally get an API key from Google for enabling the single sign-on. Such an API key offered by Google would be valid only for that company and would enable users to get an access to their Gmail accounts.

考虑一个示例，其中一家公司使用SaaS来向其员工提供对Gmail的访问权限，然后他们通常会从Google获得API密钥以启用单点登录。 Google提供的此类API密钥仅对该公司有效，并使用户能够访问其Gmail帐户。

如何保护API密钥？ (How to secure the API keys ? )

Similar to any password or any private key, API keys too needs to be kept secure. This might have given you a hint that, these keys should not be stored as files over your file system nor should it be encapsulated within an applications. They should rather be stored encrypted.

与任何密码或任何私钥相似，API密钥也需要保持安全。 这可能会提示您，这些密钥不应作为文件存储在文件系统上，也不应封装在应用程序中。 他们应该加密存储。

The below solutions can be used for managing your API keys :

以下解决方案可用于管理您的API密钥：

A) Sending out Emails containing the API’s : It is usually a common practise observed in many companies, where the API keys are sent via. emails to developers so that they can include it in the website codes. Such a practice is way too casual and can hamper your data security.

A)发送包含API的电子邮件 ：在许多公司中，API密钥是通过发送的，这是通常的惯例。 通过电子邮件发送给开发人员，以便他们可以将其包含在网站代码中。 这种做法太随意了，可能会影响您的数据安全性。

B) Configuration Files: Furthermore, it has also been observed that, the developers include an API key within a configuration file in-a-way that it can be easily found. If you are among such individuals, then you must start considering API keys as something that is equally important as the SSL keys and are required to be managed with optimum care. Rather, incase the API keys fall in the wrong, it can cause serious damage than that in the case when private SSL keys gets disclosed.

B) 配置文件：此外，还观察到，开发人员以一种易于找到的方式将API密钥包含在配置文件中。 如果您属于此类人士，那么您必须开始考虑将API密钥视为与SSL密钥同等重要的事物，并且需要对其进行最佳管理。 相反，如果API密钥输入错误，则与公开私有SSL密钥的情况相比，它可能导致严重的损害。

C) Security Keys Inventory : One of the methods for avoiding concerns regarding managing API keys is to implement specific security policy about the keys. This can help you with keeping an inventory of API keys. Most of the organisation implement an alternative way by adopting an ad hoc approach for maintaining a track of their API keys.

C)安全 密钥清单 ：避免担心管理API密钥的方法之一是实施有关密钥的特定安全策略。 这可以帮助您保留API密钥的清单。 大多数组织都采用一种临时方法来维持其API密钥的跟踪，从而实现了另一种方法。

The below queries can be raised inorder to effectively managing the keys :

为了有效地管理密钥，可以提出以下查询：

Question i : What is the purpose of a specific key and what is it used for ?

问题i：特定密钥的用途是什么？

Question ii : Who would be the point of contact that would be responsible for specific keys?

问题ii：谁将是负责特定密钥的联系人？

Question iii : Does there exist an expiry strategy inorder to manage the expiration of a particular key? How would you be alerted about the approaching expiry? Incase you haven’t laden specific plans about managing the expired or the expiring API keys, it can result in chaos upon expiry of the passwords.

问题iii：是否存在用于管理特定密钥过期的过期策略？ 您将如何收到即将到期的警报？ 如果您没有关于管理过期或过期的API密钥的具体计划，则密码过期后可能会造成混乱。

D) Secure and Encrypted File Storage: Many-a-times it may so happen that the developer implements their own security for API keys, this might sometimes be a gamble. Despite the fact that the developer might be aware about the seriousness of the API keys and try to place it in some hard to reach location or by implementing some encryption algo. But it somebody does find an access to that location, it can easily be publicised in no time.

D)安全和 加密的文件存储：开发人员为API密钥实施自己的安全性很多时候，这有时可能是一场赌博。 尽管开发人员可能已经意识到API密钥的严重性，并尝试将其放置在某些难以到达的位置或通过实施某种加密算法来进行开发。 但是有人确实找到了该位置的访问权限，因此可以随时轻松地将其发布。

Considering all these varied aspects, it becomes crucial any organisation using Cloud Hosting for carrying out the business activities to give equal importance to API keys similar to the way they give to SSL keys. API keys and its management is a serious and a sensitive area, hence should be handled with enough care and caution. This would in-turn enable you to have a secure Cloud Hosting experience and keep your credit card bills restricted to only what you’ve actually used.

考虑到所有这些不同的方面，对于使用Cloud Hosting进行业务活动的企业来说，使其对API密钥的重视程度与对SSL密钥的赋予方式一样，具有至关重要的意义。 API密钥及其管理是一个严重且敏感的领域，因此在处理时应格外小心。 反过来，这将使您拥有安全的Cloud Hosting体验，并将信用卡账单限制在仅实际使用的范围内。

翻译自: https://www.eukhost.com/blog/webhosting/importance-of-api-keys-in-cloud/

商户密钥和api密钥