API

Hi,

I've been exploring the API more extensively, and overall, it's been a great experience. However, I have some serious security concerns about the current setup where we only have one API key that has full access (Read/Write/Delete) to the system.

From a security standpoint, this poses a significant risk because:

  • The single key represents a single point of failure. If compromised, it could allow unauthorized access to all functionalities, which could lead to severe data breaches or unauthorized actions.
  • There is no way to enforce the principle of least privilege, meaning that even actions that only require read access are unnecessarily given write and delete capabilities, increasing the risk of accidental or malicious misuse.
  • It limits our ability to track and audit specific actions within the system since all operations are tied to the same key.
  • In case the key needs to be rotated or revoked, it would disrupt all services depending on it, potentially causing downtime.

I’ve spoken to support, and they mentioned that introducing more granular API keys is on the roadmap, which is great to hear. However, given the security implications, I strongly believe this should be prioritized and bumped up the queue. Enhancing the API’s security by allowing multiple keys with customizable permissions would significantly mitigate these risks and improve overall operational security.

Tagged:

Comments

  • COOLNETAU
    COOLNETAU Member Posts: 58 ✭✭

    This is a great point.

    Syncro get around it by making it work only via their agent without an API key needing to be present

    might I also suggest including the Atera PS module into the agent itself so that an agent can run an API based script without extra setup

  • gilgi
    gilgi Administrator, Moderator, Internal Posts: 313 admin

    Thank you!

    I have this marked twofold, both with our security team and the product one, your explanation makes sense for my less-informed rationale, but they might have additional input which I'll happily share.

  • gilgi
    gilgi Administrator, Moderator, Internal Posts: 313 admin

    Hey,

    Our product team had the following to say -
    We are working on improving the API infrastructure, and that his suggestions are very good and we will take them into account

    Certainly helpful, and in good timing for it :)