Maintaining top API-level security in today's cyber landscape
Data breaches, cyberattacks and security concerns are growing exponentially in the digital climate, as new development practices, extra languages, and structural frameworks appear -- compounded by geopolitical tensions giving rise to state sponsored attacks. In 2022 to date, 39 percent of UK businesses have already experienced the disruption and costly consequences of cyberattacks. Some of the largest enterprises, such as Microsoft, T-Mobile, and Vodafone, have experienced attacks by highly organized groups, such as Lapsus$.
With the scale, type of attacks and target industries constantly evolving, the healthcare sector has joined financial services and the public sector in becoming a lucrative target. Healthcare data breaches reached an all-time high in 2021, impacting 45 million people -- personal health information (PHI) became worth more than credit card information on the dark web. Attack approaches are constantly evolving, with hackers searching for any weak links in growing infrastructure.
The rising threat of API-related cybercrime
Although security has become a boardroom issue, the growing trend of API-related cybercrime is perhaps lesser understood and a growing focus of attacks. Research by API security firm Salt Security revealed that API security lapses rose an astounding 681 percent in 2021 and that 94 percent of organizations experienced API security incidents in 2021.
One example of a successful high profile 2021 attack was LinkedIn, where hackers infiltrated APIs to steal data from around 700 million LinkedIn account holders. This data included usernames and IDs, phone numbers, email addresses and more. The criminals then tried to sell this stolen data to cyber criminals on the dark web for other bad actors to carry out their own phishing attacks on unsuspecting organizations.
The importance of effective API management
APIs drive the online world, helping move data from system to system and improving access to applications and services in software architectures. There are APIs for payments (PayPal, Venmo, Stripe, etc.); employee background checks (Checkr and others); healthcare services, marketing data, video uses, and many other purposes.
The use of APIs has grown exponentially in recent years and Gartner predicts the percentage of third-party APIs used in applications to grow from 10 percent in 2021 to approximately 30 percent in a few years. But too much haste in implementation can mean that APIs are poorly secured, allowing cybercriminals to breach systems. Analysts see a clear correlation between the growth of APIs and rapid increase in key security challenges. A Salt Security Q3 2022 report reveals that API attack traffic has doubled in the past 12 months, with customers experiencing an 117 percent increase in API attack traffic.
Prioritizing API management prevents the creation and publishing of APIs without proper security protocols or gateways to safeguard them. Taking the right steps to secure APIs is therefore critical for CISOs and tech leaders.
Methods for avoiding API security lapses
Some clear reasons have surfaced for API security lapses, which often relate to poorly written documentation, unrestricted data exposure, and complacency around authentication procedures. For a robust strategy, tech leaders should focus on:
- Fine-grained access control via API gateways
Hacks via unsecured APIs highlight the need for an API gateway that provides fine-grained access control. An effective API management solution will monitor API uses and who is accessing them, identifying unusual or suspicious patterns. This can alert managers to possible threat actors. API security must be considered at the point of API design; a retrospective approach is not effective.
Those businesses with a defense-first strategy and centralized API governance will minimize risk of a successful breach unlike those companies which overlook dedicated governance protocols.
- Choosing the correct API management solution
API security requires a combination of technology and processes, and security must be embedded within the expertise of a chosen technology partner. With the right solution, API security concerns will not be a barrier to growth and innovation.
It’s best to choose a solution with a central control interface that gives businesses full visibility of vulnerabilities. This allows system managers to discover and secure all their APIs and endpoints across environments and vendors.
- Balancing speed and security
It shouldn’t be that you need to compromise on security to achieve speed in development. Tackling the complexity of API security could understandably put the brakes on innovation and it can at times do just that. But the right API-level security strategy will allow a balance between security and speed, enabling outstanding customer digital experiences their customers while protecting their data.
It is possible to offer developers a catalogue of APIs - all managed via a single platform to ensure consistent governance and security. This can accelerate the delivery of new services significantly.
The benefits of effective API management
Some of the most victimized industry sectors, such as financial, public sector, and healthcare, are leading the charge in using dedicated technology to help manage, govern, and secure their APIs. But no industry sector, type or size of organization is safe, and cyberattacks are becoming more frequent and costly.
For security, ease of integration, and maintainability, an API management platform which enables effective governance and management is a priority to avoid API security lapses, maintain first class API security and enable any business to protect what’s theirs.
Liad Bokovsky is VP of Solution Consulting at Axway.