Why a zero trust approach is essential to mitigate the threat of unsecured APIs
With the move to hybrid working, the rapid adoption of cloud, increased use of mobile and IoT devices, combined with the ongoing drive to modernize and transform IT operations, the attack surface of every organization has -- and continues to -- expand.
Traditional boundaries have been blurred between businesses, suppliers, partners, customers, workers, and even home-life, with this ecosystem continuing to grow. Here, APIs are providing the connective tissue for modern applications and legacy infrastructure to co-exist.
However, this means that the API attack surface is also rapidly expanding. A 2023 Gartner report signaled that 50 percent of enterprise APIs will be unmanaged by 2025, leading to significant gaps in visibility – and security – of active, legacy, shadow, and dormant APIs. As a result, Gartner has also predicted that more than 50 percent of data theft will be due to unsecure APIs by next year.
Therefore, the security technologies organizations employ must reflect this complex threat landscape by bringing all security functionalities together through a single pane of glass, helping to proactively protect businesses from API attacks.
Organizations must also look to close any security gaps quickly and secure their APIs throughout every phase of the software development lifecycle (SDLC). To achieve this level of control, particularly around APIs, many organizations have started to adopt a Zero Trust approach to API security.
Eliminating implicit trust
For those less familiar, Zero Trust has emerged as the framework of choice for organizations establishing a set of more robust security controls. Organizations that adopt Zero Trust principles assume every connection, device, and user is a potential cybersecurity threat. By eliminating implicit trust, the Zero Trust model advocates for a security approach in which nobody and no asset is inherently deemed safe, regardless of role or responsibility.
This approach is essential for organizations relying on APIs to exchange data and services with partners and customers. A Zero Trust strategy ensures that those API interactions are secure, even when the devices and users involved are not known or trusted.
The Zero Trust mantra of “never trust, always verify” works on the principle of least privilege. This means that users are only given the absolute bare minimum permissions needed to perform their function, and if any additional permissions are needed, they are provided for the shortest amount of time possible. The other key principle is around explicit verification. Authorization should be undertaken with the most amount of data points and there should be no granting of permissions based on trust in a Zero Trust system.
APIs inherently trust by design
Zero Trust security offers a new way of securing access and IT leaders are embracing it. In a recent study, organizations with a mature Zero Trust implementation scored 30 percent higher in security resiliency than organizations without a Zero Trust strategy.
However, with APIs facilitating the transmission of data and services within a ‘trust by design’ framework, they could expose the inner workings of an organization to bad actors. Likewise, they enable access to other applications and data that puts the organization at risk, particularly around data theft, denial of service (DoS) and ransomware attacks.
Only 40 percent of security professionals have API visibility
Unfortunately, many organizations do not have a full inventory of APIs and comprehensive visibility into which return sensitive data – a significant risk to organizational security. Our recent API Security Disconnect research showed that while nearly three quarters (72 percent) of cybersecurity professionals have full API inventories, only 40 percent have visibility into which return sensitive data. This is one of the key reasons they need a dedicated discovery solution to accurately catalogue and monitor the APIs they have.
Outside of having full visibility, combating the daily onslaught of attacks is a complex task. Each API has multiple functions, with each communicating with numerous applications and data sets – as well as a myriad of internal applications that utilize several of their own internal microservices. Gartner suggests that, through 2025, 70 percent of organizations will deploy specialized runtime protection only for public facing APIs, leaving others unmonitored and lacking protection.
This is where Zero Trust policies allow applications via their APIs to communicate only with other applications and data that are essential. By implementing least privilege access policies, integrating security testing into CI/CD processes and utilizing discovery tools to reduce API sprawl, organizations will have a legitimate defense against malicious actors in pursuit of sensitive data.
Implementing an API security platform that integrates Zero Trust policies
To achieve this, organizations need an API security platform that integrates Zero Trust policies and can also:
- Leverage AI to autonomously evaluate API activity to identify anomalous or high-risk security events and adapt responses accordingly.
- Be contextually aware to identify and assess risk, and enable rapid remediation.
- Provides tools, capabilities, and technologies to support the Zero Trust approach to security and integrate with the existing security stack and tools.
- Support a modern and flexible deployment without sacrificing reliability and resilience.
- Integrate with the SDLC for APIs to prevent new vulnerabilities being pushed into production.
- Test APIs with context for finding business logic flaws, and has blocking capabilities
Taking an innovative approach to API security
Proactively responding to today’s expanding attack surface requires a purpose built and innovative approach to API security. Organizations need to seek out Zero Trust API security solutions that provide comprehensive API security with automated detection, analysis testing and remediation.
Zero Trust API security provides a proactive and robust approach to safeguarding APIs against potential vulnerabilities and unauthorized access. By treating every API request as untrusted, it significantly reduces the risk of potential data breaches, protecting sensitive information. This gives organizations the confidence that they have measures in place to plug the security gaps that APIs can create in an organization’s security posture.
Image Credit: Luisfilipemoreira / Dreamstime.com
Karl Mattson is Group CISO, Noname Security