Meeting the challenges of API security [Q&A]

In today's increasingly digitally-centered organizations, the development of products, services, and solutions increasingly depends on the implementation of Application Programming Interfaces (APIs).

APIs have become the building blocks of modern business applications and are critical to digital transformation -- so much so that API security has become a boardroom issue.

We spoke to Gal Helemski, co-founder and CTO/CPO at PlainID, who argues that an organization's API strategy must provide an effective and productive way to use APIs by internal, partner, and third-party developers.

BN: The API security landscape is changing -- what are the main security risks organization’s should be aware of regarding API's?

GH: There is an exponential growth of API (application programming interface) usage within the organization technology stack. This is due to several changes in advanced technology architecture and usage patterns. But the fact remains that APIs are responsible for both accessing data and providing functionality that is associated with the organizational data, and both need protection.

API security covers three main areas: API discovery, API threat protection and API access control. The focus of most organizations up until now was on API discovery and protection. However, we are seeing an increasing concern and requirement to address API access control as well. While API protection focus is on the ability to invoke the API from the infrastructure perspective, API access control adds the business related control to that. API access control considers both end-user authentication and authorization, what is accessed and context of access. For example, API access control would make the decision if 'user: John', can view 'Account: A1234', at 9:00am, while accessing from the UK. This is tightly connected to the increasing initiative of zero-trust architecture, where access is validated dynamically, based on context, wherever needed and possible.

Zero-trust architecture calls for identity aware controls throughout the organization technology stack. Organizations must consider identity aware controls as part of their API access control strategy. For example, that can include:

• What is the user's job role? E.g., are they a manager?
• What is the context of access? E.g., is the user is accessing from the UK or China? What time is the user trying to access and does it make sense? Would a user from the UK be accessing information at 1am?
• What device is the user accessing? Is it an approved device or an unsecured personal one?

It's also important to look at what the user is trying to access and what the API call is enabling on his behalf. Identity Aware API access control doesn’t just take into consideration the API itself, but also what the API exposes to the user by understanding the full implication of this specific API usage, at this point in time, in this context and by this user. For example:

• What type of account the user is trying to access? Basic or VIP, can he do that?
• The financial record he is trying to access is associated with his account or not?

Identity aware API access control, based on dynamic authorization, is the only way the organization can truly follow zero-trust guidelines.

BN: What’s at risk for organization's when APIs are vulnerable?

GH: There are many risks associated with API security that an organization should be aware of. These risks include, exposure of data, a manipulation of operations and operations on data -- all of which pose a very high risk. There are also the financial and reputational risks that are associated with any form of breach. Therefore, organization's need to consider everything which is driven from exposure and misuse of that APIs functionality. In fact, in the OWASP, API security top 10 risks for 2023, six out of 10 are API access control and authorization related variabilities.

BN: How can organization’s manage API control effectively?

GH: Nowadays, as digital transformation initiatives have increased the access to more and more data and resources, attack vectors are increasingly at risk by leaving unsecured systems vulnerable. Due to this, organization's need to consider all aspects of securing their API’s, including ensuring they know which APIs they have in place to begin with.

However, it's important to note that just having that API protection is not enough and more emphasis should be placed on the API access control as part of the overall API security.

BN: Where does API access control fit in the overall API security strategy?

GH: API access control is a crucial part of any organization's overall API security initiative. Organizations today are maturing and starting to understand the importance of API access control. It's no longer just about API protection, but API access control is taking a more prominent role in the overall security strategy. For API access control specifically, organizations must consider advanced capabilities and context-aware access controls when it comes to enforcing API control.

As API access control and authorizations are identified as a significantly growing risk, I expect it to become much more high in prioritizations. Gartner has also published a report exploring API access control being an increasingly important part of API Security and how to architect a modern API access control strategy.

BN: How does API access control fit into a Zero Trust program?

GH: A zero-trust program directs the organizational security initiative to consider identity aware controls at the different layers of the organization technology stack. APIs are a significant layer of that, therefore protection of APIs should include dynamic access controls and authorizations, that can consider users and context in the decisions process.

Photo Credit: Panchenko Vladimir/Shutterstock