The Application Programming Interface or API is what has enabled the connected web we work and live with today. It empowers businesses to be innovative and more collaborative, faster. The only problem is with great integrations comes great responsibility. By APIs allowing for technical interactions across organizations and industries, it’s also broadening the attack surface of your company. Exponentially. In fact, API attacks are up 681% in the last year. And Gartner had accurately predicted that by 2022, API abuses have become the most frequent attack vector resulting in data breaches for enterprise applications.
So how do you get the benefits of APIs without the downsides? We reference five API security experts to offer you five API security tips that you can’t miss.
The Complexity of API Security
As ProgrammableWeb’s David Berlind put it, API security is more complicated than you think. And for at least the last decade of APIs driving the move to mobile, SaaS, integrated workflows, the Internet of Things, cryptocurrencies, and more, APIs have been ripe for the attack. Because, in the end, APIs are a facilitator of data.
Back in 2014, Berlind accurately predicted: “Imagine all that data that’s being collected in these hacks, and the culture of publishing data on the internet, sooner or later, entire profiles of people are going to be available online.” He continued, “Your name, your personal address, your phone number, your date of birth.” All this is happening at scale. In our homes, our cars, our hospitals, and our governments.
“There are these technologies meant to protect us and they’re not,” Berlind said. He predicted then and we see now, that your success or failure in the API economy hinges on API security. If you don’t put API security first, then you are better off not exposing your data, your customers, your business at all.
API Security is Holding Back Move to Cloud
According to Google Cloud’s Chris Hood, security is what’s holding enterprises back from their move to the cloud. In fact, according to Barracuda, 70% of respondents to their annual Future of Network Security Survey expressed that their security concerns restrict their adoption of the cloud.
As Hood said, it can feel hard to create a secure cloud environment:
- Cloud services are deployed and destroyed every minute.
- Security is in constant flux, with new threats every day.
- It’s nearly impossible to be an expert with so much change.
- How to keep your cloud environments secure and keep up-to-date on new security solutions
Hood has found that the best way to remove the security concerns around cloud adoption is for organizations to look at ways to leverage platforms to enforce cloud security via assurances, guardrails (not gates) and deployable assets.
“It’s time to shift that focus from whether or not the cloud is secure to how they can be more secure in the cloud,” he said. Or as Gartner’s Jay Heiser put it: “CIOs must change their line of questioning from ‘Is the cloud secure?’ to ‘Am I using the cloud securely?’”
Hood said cloud security — which by extension is API security — needs to center on:
- Compliance in the cloud – with guidance, configurations and tools
- Modernizing security operations – with holistic security awareness and full cloud visibility
- Protecting data through the entire pipeline – via end-to-end solutions for data protection and privacy
API Security Start with Access Control
As PingIdentity’s Bernard Harguindeguy wrote, “Because you only control your own APIs, API security centers on securing the APIs you expose either directly or indirectly.” So the first step in any security plan has to be access control. This goes well beyond role-based access control. API security really needs to be built from the ground up and into each layer. API security standards to bake right in include:
- Authentication – a mix of HTTP basic authentication, API keys, and tokens
- OAuth 2.0 – website or application standard to access resources hosted by other web apps
- OpenID Connect – the identity layer on top of the OAuth2 that verifies the end-user identity
- Monitoring – audits, logging, and version controlling
- API firewalling – first at the HTTP layer, then at the LAN level
- Zero trust – apply security hurdles at authentication, authorization and threat prevention points
A platform should be able to help you automate who gets in and out and what connects with what with an automated approach to prioritizing API security.
API security also comes down to API discovery. A platform-based approach to API security allows you to know all of your cross-organizational APIs — and what they are connecting with externally. An API management platform will also allow you to automate a lot of your security needs.
Real-Time Protection Needed
As host of the eXecutive Security Podcast Gene Fay recommends, while APIs widen your attack surface, in order to mitigate your API threats, you need to understand and protect your APIs in real time. This requires real-time analysis of the actual traffic hitting your endpoints.
“To accomplish this goal, consider platforms that automatically discover and profile APIs. A dedicated platform can enable you to gain a holistic view of your organization’s API attack surface, as you can’t protect what you don’t know you have,” Fay said.
And then you need to extend your API protection to real time, too. Starting with both application-centric and attacker-centric perimeter protection, Fay says. This is to quickly identify abnormal app behavior, including attack vectors and cadence.
API Security Requires a Platform-First Approach
For CEO of Apiwiz API lifecycle management platform Rakshith Rao, these security assurances, guardrails and deployable assets can all be achieved through the right platform acting as a control plane or single pane of glass across your full API program.
“In order to reduce the cost and complexity of enterprise API management, API strategy must continue to evolve from a project-based approach to a platform-based approach. Solving a problem within a team or business unit is no longer enough. Problems must be solved end to end,” Rao said.
An API platform-based approach comes is based on four principles:
By automating through an API platform-based approach, you not only acquire API discoverability — you know which data is flowing through which internal and external APIs — but you also can centralize and enforce best practices and governance. You can automate and enforce API security from the top down. So security is taken care of and your developers can focus on solving interesting, novel and creative problems.