SOLVED

Security concern with whitelisting the static IP's of Vendors

Go to solution
Khaja_Mohiddin
Level 1

Security concern with whitelisting the static IP's of Vendors

We have a requirement to send sms notifications to customers from Marketo and to achieve this we have involved a vendor who will consume our data using API.

Adding vendor static IP has any security concerns? We are not sure how much data they pull from Marketo database.

 

Can you please provide suggestions on how to restrict or limit data?

API role has read/write permissions on contact.

1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator

Re: Security concern with whitelisting the static IP's of Vendors

I'm extrremely wary of giving direct API access to Marketo to any vendor who doesn't strictly require it (due to shortcomings in their own design).

 

If they can connect via a URL that you supply, then set up an API gateway, for example using Amazon APIGW.  You can grant them access to the gateway using a separate API key, which they'll supply in addition to the client_id and client_secret. This protects your API calls from abuse, so you can ensure that multiple integrations (you will add more later, even if you only have one now) cooperate with each other.

 

Even better, but somewhat more complex to build in AWS, don't give them the client_id and client_secret at all but rather manage it within the APIGW config (in a mapping template). This prohibits them from going around the API gw to go straight to Marketo by accident/maliciously, since they don't actually have Marketo credentials.

View solution in original post

1 REPLY 1
SanfordWhiteman
Level 10 - Community Moderator

Re: Security concern with whitelisting the static IP's of Vendors

I'm extrremely wary of giving direct API access to Marketo to any vendor who doesn't strictly require it (due to shortcomings in their own design).

 

If they can connect via a URL that you supply, then set up an API gateway, for example using Amazon APIGW.  You can grant them access to the gateway using a separate API key, which they'll supply in addition to the client_id and client_secret. This protects your API calls from abuse, so you can ensure that multiple integrations (you will add more later, even if you only have one now) cooperate with each other.

 

Even better, but somewhat more complex to build in AWS, don't give them the client_id and client_secret at all but rather manage it within the APIGW config (in a mapping template). This prohibits them from going around the API gw to go straight to Marketo by accident/maliciously, since they don't actually have Marketo credentials.