API Security Is A Critical Boardroom Issue

Uploaded on 2023-11-13 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Across today's digitally centric organisations, the development of products, services, and solutions increasingly depends on the implementation of Application Programming Interfaces (APIs). APIs enable to communicate effectively, granting access to information and providing functionality associated with organisational data.

In recent years their usage has grown exponentially, to the point where they are now almost universal across both external-facing and internal applications.  

In short, APIs have become one of the core building blocks of modern business applications and their use is critical to successful digital transformation. Consequently, API security must also be considered a fundamental business requirement at boardroom level.
 
Unfortunately, this isn’t always the case. In January 2023, API security - or lack thereof - made headlines for the wrong reasons, when T-Mobile reported that a "bad actor" was able to obtain information on 37 million customers by exploiting a single unsecured API. This incident is just the latest in a growing list of similar cases involving poorly secured APIs; an attack vector that criminals will continue to exploit for as long as companies allow them to do so.

In response to the growing emphasis being placed on API security, the Open Worldwide Application Security Project (OWASP) recently updated its ranking of the top API Security risks for the first time since 2019. The updated list contains several refinements/redefinitions and new concepts that reflect the ever-changing API security landscape, making it essential reading for any business looking to improve its API security knowledge.

The Risks Posed By Unsecured APIs Are Considerable

As the above example illustrates, the risks associated with poor API security are plentiful, and growing all the time. Exposure and manipulation of sensitive data both have the potential to cause major operational damage, while the associated financial and reputational risks can end up being even more costly. Therefore, organisations need to consider every possible outcome that could result from the exposure/misuse of a particular API when deciding the right level of security required.  

Adopting API Access Ctrol As Part Of Zero Trust Security

Effective API security typically covers three main areas: API discovery, API threat protection and API access control. The focus of most organisations up until now has been on API discovery and protection. However, there is a growing requirement to address API access control as well. 

While API threat protection focuses on the ability to invoke the API from the infrastructure perspective, API access control adds business related controls by considering factors like end-user authentication and authorisation, what’s being accessed, and the context of that access. This is tightly connected to the increasing initiative of zero trust architecture, where access is validated dynamically, wherever needed and possible. 

Zero trust architecture calls for identity aware controls throughout the organisation’s technology stack. Consequently, organisations must consider identity aware controls as part of their API access control strategy as well. This includes asking and answering key questions before granting access, like:

  • What is the user’s job role? E.g., are they a manager?
  • What is the context of access? E.g., is the user accessing from the UK or China? What time is the user trying to access and does it make sense?  Would a user from the UK usually be accessing information at 1am?
  • What device is the user attempting to access the API from? Is it an approved device or an unsecured personal one?

It's also important to look at what the user is trying to access and what the API call is enabling on his/her behalf. Identity-aware API access control doesn’t just take into consideration the API itself, but also what the API exposes to the user by understanding the full implication of this specific API usage, at that point in time, in this context and by this user. For example:

  • What type of account is the user trying to access? Basic or VIP? Can he/she do that?
  • Is the financial record he/she is trying to access associated with his/her account or not?

Adopting identity-aware API access control, based on dynamic authorisation, is the only way organisation can truly follow zero trust guidelines. 

As digital transformation initiatives increase remote access to more data and resources, attack vectors are increasingly at risk by leaving unsecured systems vulnerable. As a result, organisations need to consider all aspects when securing their API’s, including ensuring they know which APIs they have in place to begin with.

However, in a world where even the smallest breach can have devastating consequences, just having basic API protection is no longer enough. More emphasis needs to be placed on API access control as part of an overall API security initiative, built on the principles of zero trust security. Only then can organisations be sure that users accessing sensitive information are indeed who they claim to be. 

Gal Helemski is CTO and co-founder of PlainID

Image: Antonio Batinić 

You Might Also Read:

Five Critical Security Measures To Enforce API Security:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Online Safety Act Is Now Law
The Cyber Skills Gap Is Still Not Getting Better »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NQA Certification

NQA Certification

NQA provides certification to a range of ISO standards including ISO 27001 for information security management.

TSUNAMI

TSUNAMI

The TSUNAMi center focuses on software and system security and how trustworthy software can be built from COTS software components.

Military Cyber Professionals Association (MCPA)

Military Cyber Professionals Association (MCPA)

MCPA are a team of Soldiers, Sailors, Airmen, Marines, Veterans and others interested in the development of the American military cyber profession.

Certus Software

Certus Software

Our Secure Data Erasure solutions protect customer data confidentiality by completely erasing it from data storage devices.

Post-Quantum

Post-Quantum

Post-Quantum offer a unique, patented quantum-resistant encryption algorithm that can be applied to existing products and networks.

NSHC

NSHC

NSHC is a provider of mobile security solutions, cyber security consulting and training, and offensive research.

ReFoMa

ReFoMa

ReFoMa is a consultancy and advisory company with a focus on information Security.

Quest Software

Quest Software

Simple IT management for a complex world. Whether it’s digital transformation, cloud expansion, security threats or something new, Quest helps you solve complex problems with simple solutions.

Blueskytec (BST)

Blueskytec (BST)

Blueskytec has applied its experience of over three decades of working in the field of embedded systems and encryption to provide a scalable and appropriate technology for cyber-physical devices.

Griffiss Institute (GI)

Griffiss Institute (GI)

GI's primary role is to advocate and facilitate the co-operation of private industry, academia, and the Air Force Research Laboratory in developing solutions to critical cyber security problems.

BigPanda

BigPanda

BigPanda is the first provider of Autonomous Operations solutions that empower IT Operations at large, complex enterprises.

CybX Security LLC

CybX Security LLC

CybX is the first company of its kind to merge the practice of computer forensics with computer security and information security.

SafeStack Academy

SafeStack Academy

SafeStack Academy is an online cyber security and privacy education platform. Our content is designed by experts to suit small businesses, growing companies, and development teams.

Peris.ai

Peris.ai

Peris.ai is a cybersecurity as a service startup that protects businesses and organizations from online threats.

Exium

Exium

At Exium we’ve integrated networking and security in a cloud-delivered Zero Trust platform powered by 5G and open source.

itm8

itm8

itm8 is a Nordic digital transformation partner offering a wide range of services in IT operations and Cloud Services, Digital Transformation, Application Services, ERP, and Cyber Security.