API Security Is A Critical Boardroom Issue

Uploaded on 2023-11-13 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Across today's digitally centric organisations, the development of products, services, and solutions increasingly depends on the implementation of Application Programming Interfaces (APIs). APIs enable to communicate effectively, granting access to information and providing functionality associated with organisational data.

In recent years their usage has grown exponentially, to the point where they are now almost universal across both external-facing and internal applications.  

In short, APIs have become one of the core building blocks of modern business applications and their use is critical to successful digital transformation. Consequently, API security must also be considered a fundamental business requirement at boardroom level.
 
Unfortunately, this isn’t always the case. In January 2023, API security - or lack thereof - made headlines for the wrong reasons, when T-Mobile reported that a "bad actor" was able to obtain information on 37 million customers by exploiting a single unsecured API. This incident is just the latest in a growing list of similar cases involving poorly secured APIs; an attack vector that criminals will continue to exploit for as long as companies allow them to do so.

In response to the growing emphasis being placed on API security, the Open Worldwide Application Security Project (OWASP) recently updated its ranking of the top API Security risks for the first time since 2019. The updated list contains several refinements/redefinitions and new concepts that reflect the ever-changing API security landscape, making it essential reading for any business looking to improve its API security knowledge.

The Risks Posed By Unsecured APIs Are Considerable

As the above example illustrates, the risks associated with poor API security are plentiful, and growing all the time. Exposure and manipulation of sensitive data both have the potential to cause major operational damage, while the associated financial and reputational risks can end up being even more costly. Therefore, organisations need to consider every possible outcome that could result from the exposure/misuse of a particular API when deciding the right level of security required.  

Adopting API Access Ctrol As Part Of Zero Trust Security

Effective API security typically covers three main areas: API discovery, API threat protection and API access control. The focus of most organisations up until now has been on API discovery and protection. However, there is a growing requirement to address API access control as well. 

While API threat protection focuses on the ability to invoke the API from the infrastructure perspective, API access control adds business related controls by considering factors like end-user authentication and authorisation, what’s being accessed, and the context of that access. This is tightly connected to the increasing initiative of zero trust architecture, where access is validated dynamically, wherever needed and possible. 

Zero trust architecture calls for identity aware controls throughout the organisation’s technology stack. Consequently, organisations must consider identity aware controls as part of their API access control strategy as well. This includes asking and answering key questions before granting access, like:

  • What is the user’s job role? E.g., are they a manager?
  • What is the context of access? E.g., is the user accessing from the UK or China? What time is the user trying to access and does it make sense?  Would a user from the UK usually be accessing information at 1am?
  • What device is the user attempting to access the API from? Is it an approved device or an unsecured personal one?

It's also important to look at what the user is trying to access and what the API call is enabling on his/her behalf. Identity-aware API access control doesn’t just take into consideration the API itself, but also what the API exposes to the user by understanding the full implication of this specific API usage, at that point in time, in this context and by this user. For example:

  • What type of account is the user trying to access? Basic or VIP? Can he/she do that?
  • Is the financial record he/she is trying to access associated with his/her account or not?

Adopting identity-aware API access control, based on dynamic authorisation, is the only way organisation can truly follow zero trust guidelines. 

As digital transformation initiatives increase remote access to more data and resources, attack vectors are increasingly at risk by leaving unsecured systems vulnerable. As a result, organisations need to consider all aspects when securing their API’s, including ensuring they know which APIs they have in place to begin with.

However, in a world where even the smallest breach can have devastating consequences, just having basic API protection is no longer enough. More emphasis needs to be placed on API access control as part of an overall API security initiative, built on the principles of zero trust security. Only then can organisations be sure that users accessing sensitive information are indeed who they claim to be. 

Gal Helemski is CTO and co-founder of PlainID

Image: Antonio Batinić 

You Might Also Read:

Five Critical Security Measures To Enforce API Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Online Safety Act Is Now Law
The Cyber Skills Gap Is Still Not Getting Better »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

American International Group (AIG)

American International Group (AIG)

AIG, is an American multinational insurance corporation. Commercial services include cyber risk insurance.

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

AcceptLocal

AcceptLocal

AcceptLocal is a payments industry consultancy with expertise in payment processing, payment security, anti-money laundering and fraud prevention.

Progress Flowmon

Progress Flowmon

Progress Flowmon (formerly Flowmon Networks) provide high performance network monitoring technology and behavior analytics to enhance network performance and deal with cyber threats.

QuintessenceLabs

QuintessenceLabs

QuintessenceLabs offers a suite of Data Security technology, products and solutions to secure digital information in-transit, at-rest or in-use.

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

Department of Energy - Cybersecurity, Energy Security, and Emergency Response (CESER)

The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) addresses the emerging threats of tomorrow while protecting the reliable flow of energy to Americans today.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

CASES.lu

CASES.lu

CASES.lu is a government-driven initiative offering awareness-raising, a web resource and other tools to assist SMEs concerning information security.

Cryptoloc

Cryptoloc

Cryptoloc's core business is developing solutions designed to protect businesses from all kinds of security threats using a unique patented cryptography.

ArmorCode

ArmorCode

ArmorCode's intelligent application security platform gives us unified visibility into AppSec postures and automates complex DevSecOps workflows.

GeoEdge

GeoEdge

GeoEdge is the premier provider of ad security and quality solutions for the online and mobile advertising ecosystem.

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

Abacus Group

Abacus Group

Abacus Group is a global IT services firm for alternative investment firms, providing an enterprise technology platform specifically designed to meet the unique needs of financial services.

Evolver

Evolver

Evolver delivers technology services and solutions that improve security, promote innovation, and maximize operational efficiency in support of government and commercial customers.

FutureRange

FutureRange

Specialising in IT Managed Services, Cybersecurity and Digital Transformation, FutureRange experts provide professional IT services for clients throughout Ireland and beyond.

Synergy ECP

Synergy ECP

Synergy ECP has a talented, dedicated staff to provide a broad range of services to the defense and intelligence industries.