Five Critical Security Measures To Enforce API Security 

Uploaded on 2023-11-07 in TECHNOLOGY--Resilience, FREE TO VIEW

Although business and engineering leaders continue to rapidly accelerate API usage and integration across companies, effectively securing APIs remains a challenge. And keeping this critical infrastructure safe from malicious hackers has never been more urgent.  

A recent study conducted by Kong in conjunction with outside economists forecasts a 996% increase in API attacks by 2030. Our research also projects that API cyberattacks will cost the US economy over $500 billion by the end of the decade. 

Five Steps to Enforce API Security

Effective API security strategies are multilayered and encompass various aspects of the API lifecycle. We've identified the most important security measures that require stringent enforcement.

1. Protect the network and transport layers:    Start with low-level network enforcement at Layer 3 and Layer 4 (L3/L4). This is particularly important for edge APIs used by third parties outside an organisation. Businesses need to verify the legitimacy of incoming traffic before allowing it to progress any further.

To do this, you must filter and inspect traffic flows using inbound encrypted traffic inspection, stateful inspection, and protocol detection. These steps are critical to defeat data loss and known malware communications and support compliance requirements. 

These steps may represent a change in thinking for many leaders; in the past, external threats were the biggest concern, but now internal threats (malicious actors and bots) and vulnerabilities are also an issue. 

2. Implement zero trust:     Zero trust is a well-established concept in cybersecurity and it's founded on the belief that you can’t trust who a client claims to be, regardless of whether it’s internal or external.

Consider: when you enter a foreign country, you must show your passport to validate your identity. Without passports, immigration agents would have to take your word about your identity, which could make their country vulnerable to malicious actions.

Keeping the "borders" of your APIs safe is no different. Zero trust is designed to validate every client's identity. For starters, the "passport" could be an mTLS certificate issued to each service installer with every request. To simplify this potentially complex endeavour, you could develop a service mesh to manage the entire certificate lifecycle (issuance, rotation, revocation) automatically, and handle enforcement with a sidecar proxy running transparently alongside it. The result? Teams can be users of zero trust, not enforcers or builders.

3. Mandate user authentication and authorisation:   Once you've validated the identities of the services using APIs, you must identify the user with authentication and authorisation strategies. These could include validating an API key or integrating with a third-party OpenID Connect (OIDC) or OAuth provider. It's best to centralise how these policies are enforced, as decentralising it can enable considerable security risks.

4. Restrict traffic to the API:    Security protocols or control measures shouldn't end there. Consider restricting the traffic directed toward the API to manage user-level access. It's like step 1 above but enhanced with rate-limiting or throttling strategies.

These safeguards can prevent escalating failures from excessive traffic and allow API consumption tiers, which can serve as an additional revenue stream during busy seasons.

To optimise this strategy, employ intensive API monitoring and analytics, coupled with asynchronous machine learning capabilities to track traffic for each client and user. Platform teams can help the organisation's security-approved API infrastructure run smoothly. 

5. Enforce policies:    To further mitigate risk, create a policy-enforcement workflow. Policy enforcement and control equate to compliance, yet they can be overlooked. Policy enforcement ensures that necessary policies are applied, correctly configured, not malicious, and won't cause unexpected results. The faster you mandate and universally enforce global enforcement policies, the stronger your security measures can become.

Take Action Against Threats

At the end of the day, you must recognise and act on the increasing levels of threats against APIs by developing smart, agile security measures and protecting their integrity and endurance.  

For more detailed information, please download a copy of “Leading Digital Transformation: Best Practices for Becoming a Secure API-First Company” 
 
Marco Palladino is CTO and co-founder of Kong   

Image; putilich

You Might Also Read: 

The Unique TTPs Attackers Use To Target APIs:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Increase Security For Your Enterprise Cloud With A Next-Generation Firewall
Bletchley Declaration On Artificial Intelligence Gets International Support »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

SecDev

SecDev

SecDev is a consulting firm working at the intersection of geopolitical, digital, urban, energy and cyber risk.

Cellebrite

Cellebrite

Cellebrite delivers comprehensive solutions for mobile data forensics and mobile lifecycle management.

Remediant

Remediant

Remediant is the leader in Precision Privileged Access Management. We protect organizations from ransomware and data theft via stolen credentials and lateral movement.

Jenson Knight

Jenson Knight

Jenson Knight is a global cyber security, cloud and IT infrastructure staffing specialist.

MONITORAPP

MONITORAPP

MONITORAPP is responsible for complete web security. Protect your business environment with Application Security Solutions from MONTORAPP.

Immuta

Immuta

Immuta empowers data engineering and operations teams to automate data governance, security, access control & privacy protection.

Finnish Security & Intelligence Service (SUPO)

Finnish Security & Intelligence Service (SUPO)

The Finnish Security and Intelligence Service is a government agency tasked with combating serious threats to national security in Finland.

SAM Seamless Network

SAM Seamless Network

SAM Seamless Network is a cybersecurity technology platform that protects the connected home, by tackling cyber security threats at the source.

Skudo

Skudo

Skudo is dedicated to creating innovative best-in-class solutions that protect data exchange with the highest level of security and privacy.

SensCy

SensCy

SensCy is a Trusted Guide for Sensible Cybersecurity for small and medium-sized organizations.

National Cybersecurity Agency (ACN) - Italy

National Cybersecurity Agency (ACN) - Italy

The ACN is the National Authority for Cybersecurity in Italy. the Agency promotes public-private initiatives to strengthen the national cybersecurity and resilience posture.

BitLyft

BitLyft

BitLyft is a managed detection and response provider that is dedicated to delivering unparalleled protection from cyber attacks for organizations of all sizes.

Gilsbar

Gilsbar

For more than half a century, Gilsbar has offered insurance service solutions and support for businesses and their employees.

Board of Cyber

Board of Cyber

Board of Cyber offers Security Rating: a fast, non-intrusive, continuous, 100% automated solution to evaluate the cyber performance of an organization.

Eficens Systems

Eficens Systems

Eficens Systems is a global IT services and consulting company. We specialize in empowering businesses to harness the potential of Information Technology as a strategic asset.

Twinstate Technologies

Twinstate Technologies

Twinstate Technologies specializes in cybersecurity, proactive IT, and hosted and on-premise voice solutions.