API Security Is A Critical Boardroom Issue

Uploaded on 2023-11-13 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Across today's digitally centric organisations, the development of products, services, and solutions increasingly depends on the implementation of Application Programming Interfaces (APIs). APIs enable to communicate effectively, granting access to information and providing functionality associated with organisational data.

In recent years their usage has grown exponentially, to the point where they are now almost universal across both external-facing and internal applications.  

In short, APIs have become one of the core building blocks of modern business applications and their use is critical to successful digital transformation. Consequently, API security must also be considered a fundamental business requirement at boardroom level.
 
Unfortunately, this isn’t always the case. In January 2023, API security - or lack thereof - made headlines for the wrong reasons, when T-Mobile reported that a "bad actor" was able to obtain information on 37 million customers by exploiting a single unsecured API. This incident is just the latest in a growing list of similar cases involving poorly secured APIs; an attack vector that criminals will continue to exploit for as long as companies allow them to do so.

In response to the growing emphasis being placed on API security, the Open Worldwide Application Security Project (OWASP) recently updated its ranking of the top API Security risks for the first time since 2019. The updated list contains several refinements/redefinitions and new concepts that reflect the ever-changing API security landscape, making it essential reading for any business looking to improve its API security knowledge.

The Risks Posed By Unsecured APIs Are Considerable

As the above example illustrates, the risks associated with poor API security are plentiful, and growing all the time. Exposure and manipulation of sensitive data both have the potential to cause major operational damage, while the associated financial and reputational risks can end up being even more costly. Therefore, organisations need to consider every possible outcome that could result from the exposure/misuse of a particular API when deciding the right level of security required.  

Adopting API Access Ctrol As Part Of Zero Trust Security

Effective API security typically covers three main areas: API discovery, API threat protection and API access control. The focus of most organisations up until now has been on API discovery and protection. However, there is a growing requirement to address API access control as well. 

While API threat protection focuses on the ability to invoke the API from the infrastructure perspective, API access control adds business related controls by considering factors like end-user authentication and authorisation, what’s being accessed, and the context of that access. This is tightly connected to the increasing initiative of zero trust architecture, where access is validated dynamically, wherever needed and possible. 

Zero trust architecture calls for identity aware controls throughout the organisation’s technology stack. Consequently, organisations must consider identity aware controls as part of their API access control strategy as well. This includes asking and answering key questions before granting access, like:

  • What is the user’s job role? E.g., are they a manager?
  • What is the context of access? E.g., is the user accessing from the UK or China? What time is the user trying to access and does it make sense?  Would a user from the UK usually be accessing information at 1am?
  • What device is the user attempting to access the API from? Is it an approved device or an unsecured personal one?

It's also important to look at what the user is trying to access and what the API call is enabling on his/her behalf. Identity-aware API access control doesn’t just take into consideration the API itself, but also what the API exposes to the user by understanding the full implication of this specific API usage, at that point in time, in this context and by this user. For example:

  • What type of account is the user trying to access? Basic or VIP? Can he/she do that?
  • Is the financial record he/she is trying to access associated with his/her account or not?

Adopting identity-aware API access control, based on dynamic authorisation, is the only way organisation can truly follow zero trust guidelines. 

As digital transformation initiatives increase remote access to more data and resources, attack vectors are increasingly at risk by leaving unsecured systems vulnerable. As a result, organisations need to consider all aspects when securing their API’s, including ensuring they know which APIs they have in place to begin with.

However, in a world where even the smallest breach can have devastating consequences, just having basic API protection is no longer enough. More emphasis needs to be placed on API access control as part of an overall API security initiative, built on the principles of zero trust security. Only then can organisations be sure that users accessing sensitive information are indeed who they claim to be. 

Gal Helemski is CTO and co-founder of PlainID

Image: Antonio Batinić 

You Might Also Read:

Five Critical Security Measures To Enforce API Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Online Safety Act Is Now Law
The Cyber Skills Gap Is Still Not Getting Better »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cambridge Intelligence

Cambridge Intelligence

Cambridge Intelligence are experts in network visualization and finding hidden trends in complex connected data. Applications include cybersecurity.

DefCamp

DefCamp

DefCamp is the most important annual conference on Hacking & Information Security in Central Eastern Europe.

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) is the Directorate of MCIT responsible for the security of critical information infrastructures in Afghanistan.

Incognito Forensic Foundation Lab (IFF Lab)

Incognito Forensic Foundation Lab (IFF Lab)

IFF Lab is a premier cyber and digital forensics lab in India that offers forensic services and solutions, cyber security analysis and assessment, IT support, training and consultation.

PBOSecure

PBOSecure

PBOSecure is a dynamic and progressive IT consultancy company specializing in IT and Industrial Control System (ICS) security.

Rezilion

Rezilion

Rezilion is a stealth mode cyber-security start-up developing a cutting edge technology that makes cloud environments self-protecting and resilient to cyber-attacks.

ValidSoft

ValidSoft

ValidSoft is a security software company, providing telecommunications-based multi-factor authentication, identity and transaction verification technology.

Secmation

Secmation

Secmation are an agile engineering services firm providing advanced DoD level security design and consultation services for both commercial and defense hardware and software applications.

VeriClouds

VeriClouds

VeriClouds is a password verification service that helps organizations detect compromised passwords and stop account takeover attacks.

Sparrow

Sparrow

Sparrow specializes in application security testing solutions to cope with new technology trends such as cloud, mobile, and DevSecOps.

Green Radar

Green Radar

Green Radar is a next generation cybersecurity company which combines technologies and services together to deliver Threat Detection for Emails and Deep Threat Analytics and Response.

Pathlock

Pathlock

Pathlock (formerly Greenlight) help enterprises and organizations automate the enforcement of any process, access, or IT general control, for any business application.

Riskonnect

Riskonnect

Riskonnect technology empowers organizations with the ability to anticipate, manage, and respond in real-time to strategic, operational, and digital risks across the extended enterprise.

Seal Security

Seal Security

Seal Security revolutionizes software supply chain security operations, empowering organizations to automate and scale their open source vulnerability remediation and patch management.

Edera

Edera

Edera is changing the way containers are run and secured, making isolation a reality and fundamentally transforming computing in the process.

AUCyber

AUCyber

AUCyber is a leading provider of managed cyber security solutions and consultancy services, specialising in supporting Australian organisations and Government agencies.