API Security Is A Critical Boardroom Issue

Across today's digitally centric organisations, the development of products, services, and solutions increasingly depends on the implementation of Application Programming Interfaces (APIs). APIs enable to communicate effectively, granting access to information and providing functionality associated with organisational data.

In recent years their usage has grown exponentially, to the point where they are now almost universal across both external-facing and internal applications.  

In short, APIs have become one of the core building blocks of modern business applications and their use is critical to successful digital transformation. Consequently, API security must also be considered a fundamental business requirement at boardroom level.
 
Unfortunately, this isn’t always the case. In January 2023, API security - or lack thereof - made headlines for the wrong reasons, when T-Mobile reported that a "bad actor" was able to obtain information on 37 million customers by exploiting a single unsecured API. This incident is just the latest in a growing list of similar cases involving poorly secured APIs; an attack vector that criminals will continue to exploit for as long as companies allow them to do so.

In response to the growing emphasis being placed on API security, the Open Worldwide Application Security Project (OWASP) recently updated its ranking of the top API Security risks for the first time since 2019. The updated list contains several refinements/redefinitions and new concepts that reflect the ever-changing API security landscape, making it essential reading for any business looking to improve its API security knowledge.

The Risks Posed By Unsecured APIs Are Considerable

As the above example illustrates, the risks associated with poor API security are plentiful, and growing all the time. Exposure and manipulation of sensitive data both have the potential to cause major operational damage, while the associated financial and reputational risks can end up being even more costly. Therefore, organisations need to consider every possible outcome that could result from the exposure/misuse of a particular API when deciding the right level of security required.  

Adopting API Access Ctrol As Part Of Zero Trust Security

Effective API security typically covers three main areas: API discovery, API threat protection and API access control. The focus of most organisations up until now has been on API discovery and protection. However, there is a growing requirement to address API access control as well. 

While API threat protection focuses on the ability to invoke the API from the infrastructure perspective, API access control adds business related controls by considering factors like end-user authentication and authorisation, what’s being accessed, and the context of that access. This is tightly connected to the increasing initiative of zero trust architecture, where access is validated dynamically, wherever needed and possible. 

Zero trust architecture calls for identity aware controls throughout the organisation’s technology stack. Consequently, organisations must consider identity aware controls as part of their API access control strategy as well. This includes asking and answering key questions before granting access, like:

  • What is the user’s job role? E.g., are they a manager?
  • What is the context of access? E.g., is the user accessing from the UK or China? What time is the user trying to access and does it make sense?  Would a user from the UK usually be accessing information at 1am?
  • What device is the user attempting to access the API from? Is it an approved device or an unsecured personal one?

It's also important to look at what the user is trying to access and what the API call is enabling on his/her behalf. Identity-aware API access control doesn’t just take into consideration the API itself, but also what the API exposes to the user by understanding the full implication of this specific API usage, at that point in time, in this context and by this user. For example:

  • What type of account is the user trying to access? Basic or VIP? Can he/she do that?
  • Is the financial record he/she is trying to access associated with his/her account or not?

Adopting identity-aware API access control, based on dynamic authorisation, is the only way organisation can truly follow zero trust guidelines. 

As digital transformation initiatives increase remote access to more data and resources, attack vectors are increasingly at risk by leaving unsecured systems vulnerable. As a result, organisations need to consider all aspects when securing their API’s, including ensuring they know which APIs they have in place to begin with.

However, in a world where even the smallest breach can have devastating consequences, just having basic API protection is no longer enough. More emphasis needs to be placed on API access control as part of an overall API security initiative, built on the principles of zero trust security. Only then can organisations be sure that users accessing sensitive information are indeed who they claim to be. 

Gal Helemski is CTO and co-founder of PlainID

Image: Antonio Batinić 

You Might Also Read:

Five Critical Security Measures To Enforce API Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« British Online Safety Act Is Now Law
The Cyber Skills Gap Is Still Not Getting Better »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ForeScout Technologies

ForeScout Technologies

ForeScout delivers pervasive network security by allowing organisations to continuously monitor & mitigate security exposures & cyberattacks.

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

National Cyber Security Centre (CNCS) - Portugal

National Cyber Security Centre (CNCS) - Portugal

CNCS is the operational coordinator and Portuguese national authority in cybersecurity working with State entities, and digital service providers

Claranet

Claranet

Claranet are experts in modernising and running critical applications and infrastructure through end-to-end professional services, managed services and training.

Department of Justice & Equality - Cybercrime Division

Department of Justice & Equality - Cybercrime Division

The Cybercrime division is responsible for developing policy in relation to the criminal activity and coordinating a range of different cyber initiatives at national and international level.

UKsec: Virtual Cyber Security Summit

UKsec: Virtual Cyber Security Summit

Join 100s of UK Cyber Security Leaders Online for Expert Cyber Security Talks, Strategy Insights, Cyber Resilience Tips and More.

DataExpert Singapore

DataExpert Singapore

DataExpert Singapore provide solutions and services in the areas of Digital Forensics, Data Recovery, Data Duplication, Data Degaussing & Wiping, Data Destruction, and IT Disposal.

Shearwater Group

Shearwater Group

Shearwater Group is an award-winning organisational resilience group that provides cyber security, advisory and managed security services to help secure businesses in a connected global economy.

Global Resources

Global Resources

Global Resources' planning and management capabilities support city, regional, and national utility and infrastructure management, and information systems and cyber security service delivery.

Stryve

Stryve

Stryve is a leading carbon-neutral provider of specialist cloud and cybersecurity services in Europe.

BlueSteel Cybersecurity

BlueSteel Cybersecurity

BlueSteel is a compliance consulting firm that leverages deep system, data and application expertise to build sustainable cybersecurity solutions.

HiSolutions

HiSolutions

HiSolutions is a renowned consulting firms for IT governance, risk & compliance in Germany, combining highly specialized know-how in the field with profound process competence.

Open Web Application Security Project (OWASP)

Open Web Application Security Project (OWASP)

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software.

Logiq Consulting

Logiq Consulting

Logiq Consulting provide a full range of Cyber Security, Information Assurance and System Engineering services.

Lansafe

Lansafe

Lansafe stands as a leading managed service provider in the UK, seamlessly integrating IT, Telecoms, Security, Electrical and Cyber Security solutions.

Options Technology

Options Technology

Options is a global leader in financial technology, specialising in Capital Markets technology and enterprise-grade solutions.