Five Critical Security Measures To Enforce API Security 

Uploaded on 2023-11-07 in TECHNOLOGY--Resilience, FREE TO VIEW

Although business and engineering leaders continue to rapidly accelerate API usage and integration across companies, effectively securing APIs remains a challenge. And keeping this critical infrastructure safe from malicious hackers has never been more urgent.  

A recent study conducted by Kong in conjunction with outside economists forecasts a 996% increase in API attacks by 2030. Our research also projects that API cyberattacks will cost the US economy over $500 billion by the end of the decade. 

Five Steps to Enforce API Security

Effective API security strategies are multilayered and encompass various aspects of the API lifecycle. We've identified the most important security measures that require stringent enforcement.

1. Protect the network and transport layers:    Start with low-level network enforcement at Layer 3 and Layer 4 (L3/L4). This is particularly important for edge APIs used by third parties outside an organisation. Businesses need to verify the legitimacy of incoming traffic before allowing it to progress any further.

To do this, you must filter and inspect traffic flows using inbound encrypted traffic inspection, stateful inspection, and protocol detection. These steps are critical to defeat data loss and known malware communications and support compliance requirements. 

These steps may represent a change in thinking for many leaders; in the past, external threats were the biggest concern, but now internal threats (malicious actors and bots) and vulnerabilities are also an issue. 

2. Implement zero trust:     Zero trust is a well-established concept in cybersecurity and it's founded on the belief that you can’t trust who a client claims to be, regardless of whether it’s internal or external.

Consider: when you enter a foreign country, you must show your passport to validate your identity. Without passports, immigration agents would have to take your word about your identity, which could make their country vulnerable to malicious actions.

Keeping the "borders" of your APIs safe is no different. Zero trust is designed to validate every client's identity. For starters, the "passport" could be an mTLS certificate issued to each service installer with every request. To simplify this potentially complex endeavour, you could develop a service mesh to manage the entire certificate lifecycle (issuance, rotation, revocation) automatically, and handle enforcement with a sidecar proxy running transparently alongside it. The result? Teams can be users of zero trust, not enforcers or builders.

3. Mandate user authentication and authorisation:   Once you've validated the identities of the services using APIs, you must identify the user with authentication and authorisation strategies. These could include validating an API key or integrating with a third-party OpenID Connect (OIDC) or OAuth provider. It's best to centralise how these policies are enforced, as decentralising it can enable considerable security risks.

4. Restrict traffic to the API:    Security protocols or control measures shouldn't end there. Consider restricting the traffic directed toward the API to manage user-level access. It's like step 1 above but enhanced with rate-limiting or throttling strategies.

These safeguards can prevent escalating failures from excessive traffic and allow API consumption tiers, which can serve as an additional revenue stream during busy seasons.

To optimise this strategy, employ intensive API monitoring and analytics, coupled with asynchronous machine learning capabilities to track traffic for each client and user. Platform teams can help the organisation's security-approved API infrastructure run smoothly. 

5. Enforce policies:    To further mitigate risk, create a policy-enforcement workflow. Policy enforcement and control equate to compliance, yet they can be overlooked. Policy enforcement ensures that necessary policies are applied, correctly configured, not malicious, and won't cause unexpected results. The faster you mandate and universally enforce global enforcement policies, the stronger your security measures can become.

Take Action Against Threats

At the end of the day, you must recognise and act on the increasing levels of threats against APIs by developing smart, agile security measures and protecting their integrity and endurance.  

For more detailed information, please download a copy of “Leading Digital Transformation: Best Practices for Becoming a Secure API-First Company” 
 
Marco Palladino is CTO and co-founder of Kong   

Image; putilich

You Might Also Read: 

The Unique TTPs Attackers Use To Target APIs:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Increase Security For Your Enterprise Cloud With A Next-Generation Firewall
Bletchley Declaration On Artificial Intelligence Gets International Support »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CERT-SE

CERT-SE

CERT-SE is the national and governmental Computer Security Incident Response Team of Sweden.

Romanian Association for Information Security Assurance (RAISA)

Romanian Association for Information Security Assurance (RAISA)

RAISA promotes and supports information security activities and creates a community for the exchange of knowledge between specialists, academic and corporate environment in Romania.

Computest

Computest

Computest security testing services include Mobile app security, Vulnerability assessments, Attack & penetration testing, Security awareness training, Network security assessments.

European Society of Criminology (ESC)

European Society of Criminology (ESC)

The ESC Working Group on Cybercrime is focused on cybercrime, its causes and offenders, impact on victims, and our response to it at the individual, corporate, and governmental levels.

Lineal Services

Lineal Services

Lineal supports clients in meeting their digital forensics, cyber security and eDiscovery needs by providing bespoke solutions to complex problems.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

AmWINS Group

AmWINS Group

AmWINS are a global specialty insurance distributor with expertise in property, casualty and professional lines including cyber liability.

BlackDice Cyber

BlackDice Cyber

Threat Intelligence is only part of the solution. Our solution matches threats to vulnerabilities and automatically takes remedial action against compromised apps, devices and websites.

Zephyr Project

Zephyr Project

The Zephyr Project strives to deliver the best-in-class RTOS for connected resource-constrained devices, built to be secure and safe.

Anonomatic

Anonomatic

Anonomatic’s mission is to make data privacy secure, simple and cost effective. We are Data and Privacy Experts who are passionate about helping organizations solve PII compliance.

Open Source Security Foundation (OpenSSF)

Open Source Security Foundation (OpenSSF)

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Unified National Networks (UNN)

Unified National Networks (UNN)

UNN’s mission is to unify the national networks and create a modern and cost efficient digital platform connecting the entire country.

BSS

BSS

BSS is a solutions and services business based in the UK with a focus on Cyber Security, Data, Financial Crime, Internal Audit, Change, Risk and Resilience.

Thoropass

Thoropass

Thoropass (formerly Laika) helps you get and stay compliant with smart software and expert services.

Knowit

Knowit

Knowit support customers in the digital transformation, simplify people’s everyday lives and create secure and innovative solutions enabling a sustainable future.

FastPassCorp

FastPassCorp

In the world of IT, identity theft is a growing concern. FastPass offers an innovative solution as a cloud or on-premises offering.