API Security Is A Critical Boardroom Issue

Uploaded on 2023-11-13 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Across today's digitally centric organisations, the development of products, services, and solutions increasingly depends on the implementation of Application Programming Interfaces (APIs). APIs enable to communicate effectively, granting access to information and providing functionality associated with organisational data.

In recent years their usage has grown exponentially, to the point where they are now almost universal across both external-facing and internal applications.  

In short, APIs have become one of the core building blocks of modern business applications and their use is critical to successful digital transformation. Consequently, API security must also be considered a fundamental business requirement at boardroom level.
 
Unfortunately, this isn’t always the case. In January 2023, API security - or lack thereof - made headlines for the wrong reasons, when T-Mobile reported that a "bad actor" was able to obtain information on 37 million customers by exploiting a single unsecured API. This incident is just the latest in a growing list of similar cases involving poorly secured APIs; an attack vector that criminals will continue to exploit for as long as companies allow them to do so.

In response to the growing emphasis being placed on API security, the Open Worldwide Application Security Project (OWASP) recently updated its ranking of the top API Security risks for the first time since 2019. The updated list contains several refinements/redefinitions and new concepts that reflect the ever-changing API security landscape, making it essential reading for any business looking to improve its API security knowledge.

The Risks Posed By Unsecured APIs Are Considerable

As the above example illustrates, the risks associated with poor API security are plentiful, and growing all the time. Exposure and manipulation of sensitive data both have the potential to cause major operational damage, while the associated financial and reputational risks can end up being even more costly. Therefore, organisations need to consider every possible outcome that could result from the exposure/misuse of a particular API when deciding the right level of security required.  

Adopting API Access Ctrol As Part Of Zero Trust Security

Effective API security typically covers three main areas: API discovery, API threat protection and API access control. The focus of most organisations up until now has been on API discovery and protection. However, there is a growing requirement to address API access control as well. 

While API threat protection focuses on the ability to invoke the API from the infrastructure perspective, API access control adds business related controls by considering factors like end-user authentication and authorisation, what’s being accessed, and the context of that access. This is tightly connected to the increasing initiative of zero trust architecture, where access is validated dynamically, wherever needed and possible. 

Zero trust architecture calls for identity aware controls throughout the organisation’s technology stack. Consequently, organisations must consider identity aware controls as part of their API access control strategy as well. This includes asking and answering key questions before granting access, like:

  • What is the user’s job role? E.g., are they a manager?
  • What is the context of access? E.g., is the user accessing from the UK or China? What time is the user trying to access and does it make sense?  Would a user from the UK usually be accessing information at 1am?
  • What device is the user attempting to access the API from? Is it an approved device or an unsecured personal one?

It's also important to look at what the user is trying to access and what the API call is enabling on his/her behalf. Identity-aware API access control doesn’t just take into consideration the API itself, but also what the API exposes to the user by understanding the full implication of this specific API usage, at that point in time, in this context and by this user. For example:

  • What type of account is the user trying to access? Basic or VIP? Can he/she do that?
  • Is the financial record he/she is trying to access associated with his/her account or not?

Adopting identity-aware API access control, based on dynamic authorisation, is the only way organisation can truly follow zero trust guidelines. 

As digital transformation initiatives increase remote access to more data and resources, attack vectors are increasingly at risk by leaving unsecured systems vulnerable. As a result, organisations need to consider all aspects when securing their API’s, including ensuring they know which APIs they have in place to begin with.

However, in a world where even the smallest breach can have devastating consequences, just having basic API protection is no longer enough. More emphasis needs to be placed on API access control as part of an overall API security initiative, built on the principles of zero trust security. Only then can organisations be sure that users accessing sensitive information are indeed who they claim to be. 

Gal Helemski is CTO and co-founder of PlainID

Image: Antonio Batinić 

You Might Also Read:

Five Critical Security Measures To Enforce API Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Online Safety Act Is Now Law
The Cyber Skills Gap Is Still Not Getting Better »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resilient Information Systems Security (RISS)

Resilient Information Systems Security (RISS)

RISS is a research group is in the Department of Computing at Imperial College London.

Integrity360

Integrity360

Integrity360 provide fully managed IT security services as well as security testing, integration, GRC and incident handling services.

CSIRT Panama

CSIRT Panama

CSIRT Panama is the national Computer Incident Response Team for Panama.

CopSonic

CopSonic

Copsonic provide a technology solution based on ultrasonic waves to send secure and encrypted data between two devices in order to achieve authentication.

ConvergeOne

ConvergeOne

ConvergeOne is a leading global IT services provider of collaboration and technology solutions including cybersecurity.

eResilience

eResilience

eResilience is a division of Referentia Systems, a pioneer in an ultra-secure information safeguarding technique known as “Enclaving”, in which data can be segmented and protected within a network.

Heidrick & Struggles International

Heidrick & Struggles International

Heidrick & Struggles is a premier provider of leadership consulting and senior-level executive search services for roles including Information & Technology Officers and Cybersecurity.

Alpine Security

Alpine Security

Alpine Security provides penetration testing, security assessments and cybersecurity training services.

BI.ZONE

BI.ZONE

BI.ZONE creates high-tech products and solutions to protect IT infrastructures and applications, and provides services from cyber intelligence and proactive defence to cybercrime investigation.

NetNordic Group

NetNordic Group

NetNordic is a Nordic system integrator focusing on solutions and services in the area of networking, smart data centers, cybersecurity, and unified communication.

NJVC

NJVC

NJVC delivers IT automation, optimization and security to empower mission-enabling IT for customers with secure requirements.

L3Harris Technologies

L3Harris Technologies

L3Harris Technologies is a global aerospace and defense technology innovator, delivering solutions to meet mission-critical needs across air, land, sea, space and cyber domains.

Velta Technology

Velta Technology

Velta Technology provide digital safety and cybersecurity solutions for the industrial space.

Cyber Bytes Foundation

Cyber Bytes Foundation

Cyber Bytes Foundation exists to establish and sustain a unique Cyber Ecosystem to accelerate the development of a strong Cyber workforce and support community outreach programs.

Information Security Officers Group (ISOG)

Information Security Officers Group (ISOG)

ISOG's mission is to strengthen information security through awareness and education programs, promoting community and fellowship among information security leaders.

NopalCyber

NopalCyber

NopalCyber makes cybersecurity manageable, affordable, reliable, and powerful for companies that need to be resilient and compliant.