Five Critical Security Measures To Enforce API Security 

Although business and engineering leaders continue to rapidly accelerate API usage and integration across companies, effectively securing APIs remains a challenge. And keeping this critical infrastructure safe from malicious hackers has never been more urgent.  

A recent study conducted by Kong in conjunction with outside economists forecasts a 996% increase in API attacks by 2030. Our research also projects that API cyberattacks will cost the US economy over $500 billion by the end of the decade. 

Five Steps to Enforce API Security

Effective API security strategies are multilayered and encompass various aspects of the API lifecycle. We've identified the most important security measures that require stringent enforcement.

1. Protect the network and transport layers:    Start with low-level network enforcement at Layer 3 and Layer 4 (L3/L4). This is particularly important for edge APIs used by third parties outside an organisation. Businesses need to verify the legitimacy of incoming traffic before allowing it to progress any further.

To do this, you must filter and inspect traffic flows using inbound encrypted traffic inspection, stateful inspection, and protocol detection. These steps are critical to defeat data loss and known malware communications and support compliance requirements. 

These steps may represent a change in thinking for many leaders; in the past, external threats were the biggest concern, but now internal threats (malicious actors and bots) and vulnerabilities are also an issue. 

2. Implement zero trust:     Zero trust is a well-established concept in cybersecurity and it's founded on the belief that you can’t trust who a client claims to be, regardless of whether it’s internal or external.

Consider: when you enter a foreign country, you must show your passport to validate your identity. Without passports, immigration agents would have to take your word about your identity, which could make their country vulnerable to malicious actions.

Keeping the "borders" of your APIs safe is no different. Zero trust is designed to validate every client's identity. For starters, the "passport" could be an mTLS certificate issued to each service installer with every request. To simplify this potentially complex endeavour, you could develop a service mesh to manage the entire certificate lifecycle (issuance, rotation, revocation) automatically, and handle enforcement with a sidecar proxy running transparently alongside it. The result? Teams can be users of zero trust, not enforcers or builders.

3. Mandate user authentication and authorisation:   Once you've validated the identities of the services using APIs, you must identify the user with authentication and authorisation strategies. These could include validating an API key or integrating with a third-party OpenID Connect (OIDC) or OAuth provider. It's best to centralise how these policies are enforced, as decentralising it can enable considerable security risks.

4. Restrict traffic to the API:    Security protocols or control measures shouldn't end there. Consider restricting the traffic directed toward the API to manage user-level access. It's like step 1 above but enhanced with rate-limiting or throttling strategies.

These safeguards can prevent escalating failures from excessive traffic and allow API consumption tiers, which can serve as an additional revenue stream during busy seasons.

To optimise this strategy, employ intensive API monitoring and analytics, coupled with asynchronous machine learning capabilities to track traffic for each client and user. Platform teams can help the organisation's security-approved API infrastructure run smoothly. 

5. Enforce policies:    To further mitigate risk, create a policy-enforcement workflow. Policy enforcement and control equate to compliance, yet they can be overlooked. Policy enforcement ensures that necessary policies are applied, correctly configured, not malicious, and won't cause unexpected results. The faster you mandate and universally enforce global enforcement policies, the stronger your security measures can become.

Take Action Against Threats

At the end of the day, you must recognise and act on the increasing levels of threats against APIs by developing smart, agile security measures and protecting their integrity and endurance.  

For more detailed information, please download a copy of “Leading Digital Transformation: Best Practices for Becoming a Secure API-First Company” 
 
Marco Palladino is CTO and co-founder of Kong   

Image; putilich

You Might Also Read: 

The Unique TTPs Attackers Use To Target APIs:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Increase Security For Your Enterprise Cloud With A Next-Generation Firewall
Bletchley Declaration On Artificial Intelligence Gets International Support »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

DeviceLock

DeviceLock

DeviceLock is a leading provider of endpoint device/port control and data leak prevention software.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

Parsons

Parsons

Parsons has developed a converged security offering that combines cybersecurity, integrated network solutions, and critical infrastructure protection.

Telesoft Technologies

Telesoft Technologies

Telesoft Technologies is a global provider of cyber security, telecom and government infrastructure products and services.

Smarttech247

Smarttech247

Smarttech247 deliver a range of cyber security solutions, including cognitive security services using IBM Watson for Cybersecurity, SIEM, Compliance & Governance, and Penetration Testing.

ICTSecurity Portal

ICTSecurity Portal

The ICTSecurity Portal is an interministerial initiative in cooperation with the Austrian economy and acts as a central internet portal for topics related to security in the digital world.

AXA XL

AXA XL

AXA XL is the P&C and Specialty Risk Division of AXA. Professional insurance products include Cyber Insurance.

Southwest Research Institute (SwRI)

Southwest Research Institute (SwRI)

Southwest Research Institute SwRI are R&D problem solvers providing independent services to government and industry clients. Areas of expertise include Cybersecurity, Intelligent Networks and IoT.

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling and Data Destruction protect the environment and your data with proven and trusted electronics recycling and data destruction services.

Marlabs

Marlabs

Marlabs is a Digital Technology Solutions company that helps companies adopt digital transformation using a comprehensive framework including Digital Automation, Enterprise Analytics and Security.

Kordia

Kordia

Kordia is a leading provider of mission-critical technology solutions throughout Australasia. We have the most comprehensive cyber security offering in New Zealand.

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL)

Pakistan Telecommunication Company Limited (PTCL) is the largest integrated Information Communication Technology (ICT) company of Pakistan.

ITC Federal

ITC Federal

ITC Federal delivers IT cybersecurity assessment services to support agencies in meeting their security strategies and federal security compliance goals.

WPScan

WPScan

With WPScan, you'll be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes.

GISEC Global

GISEC Global

GISEC Global provides vendors and companies from around the world with access to lucrative opportunity to capitalize on what's set to become one of the world's booming markets.

Mindcore Technologies

Mindcore Technologies

Mindcore provide cyber security services, managed IT services and IT consulting services to businesses in NJ, FL, and throughout the United States.