Managing API Sprawl: The Growing Risk Of Shadow APIs & How To Mitigate It

Uploaded on 2024-11-18 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

As organisations continue to migrate towards microservice-based architectures, implement real-time data strategies and shift towards API-first approaches, managing and governing APIs often becomes increasingly complex.

The more APIs you have, the more APIs you need to secure, manage and govern. It doesn’t take long to reach the land of “API sprawl,” where there are hundreds, or even thousands, of new APIs that aren’t properly accounted for.

While this all seems simple and predictable, it’s something that many organisations still struggle with. These struggles typically take the form of “shadow APIs” - undiscovered and unmanaged legacy APIs that are often still running in production. These APIs present serious risks for any business.

Increasing Vulnerability To API Security Breaches

The lack of visibility into a rapidly growing API landscape creates a breeding ground for security vulnerabilities. Shadow APIs, often unmonitored or poorly maintained, become prime targets for attackers who exploit improper authentication logic or weak encryption standards. Kong research highlights this risk, with the number of annual attacks forecast to grow 548% by 2030, for a total of 42,000 API attacks in the U.S. alone.

Because these APIs are often not tracked or monitored, they can inadvertently expose sensitive data, such as customer personally identifiable information (PII), financial records or proprietary business information. For example, a legacy API developed for a now-defunct service may still have access to sensitive databases, unintentionally exposing data to anyone who knows how to call it. What’s most concerning is that these data leaks often occur silently, without anyone in the organisation noticing until it’s too late.

Improving API Governance With Service Catalogues

The inability to fully account for all APIs means that organisations struggle to comply with industry regulations. APIs that process sensitive data may fall outside of mandated compliance checks, such as GDPR or HIPAA audits, simply because they aren’t catalogued as part of the organisation’s official API inventory. This lack of oversight can result in costly regulatory fines, not to mention the potential damage to customer trust.

Just like a library catalogue helps patrons find materials, a service catalogue acts as a centralised system of record for an organisation’s services and APIs. The service catalogue is the discovery and visibility mechanism for all of your APIs and services. In other words, it’s the bane of API sprawl and shadow APIs. Let’s break it down further.

One of the most powerful features of a service catalogue is its discovery engine, which dynamically updates the catalogue as new services are deployed and inactive ones are decommissioned. The discovery engine allows the service catalogue to retain both its accuracy and reliability as a source of truth with zero manual intervention.

It is important to note, however, that not all service catalogues are created equal.

Certain catalogues whose discovery engines do not deeply integrate with critical infrastructure (like API gateways and service meshes) typically need to be populated and maintained by hand. These manual processes are highly prone to error and result in outdated catalogues almost immediately.

In other words, if your service catalogue can’t auto-populate, it undermines the entire purpose of adopting such a solution. You may as well try to manage, measure and govern every API and service manually in an Excel sheet. This is untenable for an organisation with a massive service footprint.

An automated service catalogue that is built to deeply integrate with various infrastructural applications offers complete visibility into an organisation’s north-south and east-west API traffic. This allows the catalogue to display analytics about the service (such as request count, error rate and latency) that reflect its dynamic real-world usage, rather than static and outdated data.

Organisations can no longer afford to leave critical customer data, PII and authorisation credentials just “floating” out there, unseen, in production. Hope cannot be your API security strategy.

Miko Bautista is Product Manager at Kong Inc.

Image: 

You Might Also Read: 

Five Reasons Your Organization Needs API Security Testing:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Virtual iPhones: A Game Changer For Mobile App Development Security

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DLA Piper

DLA Piper

DLA Piper is a global law firm with offices throughout the Americas, Asia Pacific, Europe and the Middle East. Practice areas include Cybersecurity.

Vera Security

Vera Security

Vera is a data security platform that provides 360-degree visibility and control over critical business data, anywhere it's shared or stored.

mmCERT

mmCERT

mmCERT is the national Computer Emergency Response Team for Myanmar.

7Safe

7Safe

7Safe has been delivering hands-on digital security training courses since 2001 and offer e a portfolio of university and industry-accredited courses.

Cobalt Labs

Cobalt Labs

Pen Testing as a Service for Modern SaaS Businesses. Cobalt is redefining the modern pen test for companies who want serious hacker-like testing built into their development cycle.

Plurilock Security Solutions

Plurilock Security Solutions

Plurilock is a real-time cybersecurity solution that uses artificial intelligence to identify, prevent, and eliminate insider threats.

Cyentia Institute

Cyentia Institute

The Cyentia Institute is a research & data science firm with a mission to advance knowledge in the cybersecurity industry.

Netizen

Netizen

Netizen is an award-winning company that develops and leverages innovative solutions to enable a more secure cyberspace for clients in government and commercial markets.

Sydeco

Sydeco

Sydeco offer a complete range of products that secure computer and industrial networks, servers, programs and data against any type of computer attack.

NARIS

NARIS

NARIS is the leading provider of an integrated Governance, Risk and Compliance platform called NARIS GRC.

Opora

Opora

Opora is the leading cybersecurity provider of adversary behavior analytics “ABA” and preemptive security solutions.

Gunnison Consulting Group

Gunnison Consulting Group

Gunnison Consulting Group serves the Federal Government with high quality IT consulting services.

GajShield

GajShield

GajShield Infotech provides Data Security Firewall solutions to Corporate’s and Government agencies.

Information Security Officers Group (ISOG)

Information Security Officers Group (ISOG)

ISOG's mission is to strengthen information security through awareness and education programs, promoting community and fellowship among information security leaders.

Catalogic Software

Catalogic Software

Catalogic helps clients backup, recover, manage, and protect their data across their enterprise and cloud environments with Smart Data Protection solutions.

G-71

G-71

G-71 LeaksID is a cutting-edge ITM technology aimed at safeguarding sensitive documents from insider threats.