Why You Can’t Have True Zero Trust Without API Security


By Richard Bird, Chief Security Officer, Traceable

Global adoption of Zero Trust security models is soaring and with good reason. Due to organizations’ embrace of digital business models and enablement of hybrid workforces, more users and devices are accessing organizations’ networks than ever before. A Cloud Security Alliance survey finds that 94 percent of organizations are implementing Zero Trust strategies, and 77 percent will increase their spending on Zero Trust over the next 12 months. President Biden’s Executive Order on Cyber Security, issued in May 2021, has also given this security model a public boost. The order requires federal agencies to develop and implement Zero Trust architectures at pace.

The concept of Zero Trust was popularized by Forrester analyst John Kindervag in 2010. Organizations that embrace Zero Trust “never trust, always verify.” That means continuously validating every user and device accept attempt and enforcing the principle of least privilege granted to right-size user privileges to the job at hand. As a result, Zero Trust has historically been focused on improving network access and identity access management security.

So far, so good. Yet, the reality is that distributed networks are growing exponentially. In addition, organizations are tilting from running monolithic business applications to using myriad microservices to create and deploy new applications. Organizations then use application programming interfaces (APIs) to connect clients to servers; send and receive sensitive data; and execute increasingly complex interdependent business processes.

While APIs are the foundation of modern business, they also are creating new risks. The fast rate of API adoption is outpacing organizations’ ability to create strong governance and security tools around this layer. In addition, organizations are using APIs to connect to legacy applications that perform as expected but lack the security of cloud-native services and architectures.

Recognizing these trends, OWASP has published a top-10 API security risk list, that includes issues such as broken object-level authorization, broken user authorization, excessive data exposure, and more.

Gartner predicted that APIs will be the number-one attack vector in 2022. Breaches due to API security risks have already snared Coinbase, Optus, Uber, and others.

Zero Trust Must Secure the API Layer 

So, it’s clear that Zero Trust security models need to extend beyond the user and the device layer to include the application, data, and integration layers. Organizations can do so by tackling the problem of API security, and considering partners, vendors, customers, and other third parties in their Zero Trust frameworks.

To manage, control, and secure APIs, IT and security teams need to be able to:

  1. Discover and test APIs: Teams want to automatically discover APIs and sensitive data flows. API security platforms that enable continuous discovery empower teams to track APIs as their environments change and create an always-up-to-date inventory of all of their APIs. As a result, it’s easy for teams to identify shadow and orphaned APIs, as well as any changes.
  2. Evaluate API risk posture: Risk scoring has transformed security and also applies to APIs. API security platforms provide a security risk score for every APIs. These risk scores consider runtime details, such as sensitive data flows, API call maps, usage behavior, threat details and activity levels, and other factors, to help teams focus on the areas of greatest risk. Teams are then able to identify which APIs are most vulnerable to abuse, so that they can prioritize remediation and take fast action to reduce threats.
  3. Stop API attacks: API security platforms equip teams to detect and stop known and unknown API, business logic abuse, and zero-day attacks, as well as API abuse, fraud, and sensitive data exfiltration. Being able to identify where hackers have gained access to sensitive data enables IT and security teams to rapidly shut down these attempts, limiting their harm.
  4. Analyze APIs for threat hunting and research: Organizations can improve threat hunting by using API security platforms to create an end-to-end path trace of all of their API calls and service behavior. This information can be aggregated in an API data lake that security operations teams, threat hunters, and forensic researchers can use to identify root causes, speed incident detection and resolution, and improve processes. With these insights, organizations can reduce their API attack surface over time.

There are myriad API security vendors that purport to offer these four capabilities, yet many struggle to deliver across one or more of these areas. These platforms may be unable to prevent bot or DDoS attacks, fail to detect changes in API behavior, lack the ability to analyze sensitive data flows, or have other limitations. As a result, IT and security teams seeking an API security partner should ask companies to benchmark their capabilities against others in the space.

It’s Time to Strengthen API Security 

Zero Trust models have done much to shore up organizational security. But the time has come to extend Zero Trust to the API layer. APIs represent a significant – and growing vulnerability – for organizations that need to be immediately triaged.

Security platforms that provide API discovery and risk mitigation, attack blocking, and threat analytics enable organizations to monitor, track, and remediate APIs. While APIs create open endpoints, there’s no reason bad actors should be able to walk in through this front door.

About the Author

Richard Bird is the Chief Security Officer for Traceable.ai. A multi-time C-level executive in both the corporate and start-up worlds, Richard is internationally recognized for his expert insights, work and views on cybersecurity, data privacy, digital consumer rights and next generation security topics. Richard delivers keynote presentations around the world and is a highly sought after speaker, particularly when he is translating cybersecurity and risk realities into business language and imperatives. He is a Senior Fellow with the CyberTheory Zero Trust Institute, a Forbes Tech council member and has been interviewed frequently by media outlets including the Wall Street Journal, CNBC, Bloomberg, The Financial Times, Business Insider, CNN, NBC Nightly News and TechRepublic. https://www.traceable.ai/



Source link