The hidden risk enterprises are facing daily
This content appears in Mission Critical Magazine: https://www.missioncriticalmagazine.com/articles/94051-a-look-into-api-vulnerabilities
Cyberattacks are on the rise, but there are steps companies can take to stay safe. Mission Critical recently sat down with Jason Needham, CEO of Cloudentity, to find out how.
Please explain why application programming interfaces (APIs) increase the attack surface for enterprises, creating more security risk.
Needham: APIs are the underpinnings of digital transformation, representing 83% of all web traffic. Today, APIs are essential for driving new digital business revenue growth for enterprises and transforming decade-old business models. App modernization, big data, machine learning, automation jobs, and microservices application constructs are typically run through APIs, which introduces significant data privacy issues.
Each API presents a surface for information that must be protected. These API points are distributed throughout our infrastructure and cloud deployments and can’t be protected by a simple perimeter firewall. The more APIs there are — and the more sensitive data exchanged — the more challenging and complicated security becomes. Moreover, each application team usually controls its own APIs and the information that’s published. So, imagine hundreds of applications and teams with thousands of API endpoints, which is increasing every day. That’s what enterprises are facing.
What are some common mistakes for IT and security teams when it comes to managing API security?
Needham: Data shows that 44% of enterprise IT practitioners report experiencing substantial API security and privacy issues in the last year, and, as a result, 97% experienced delays in releases of new applications and service enhancements. Common API vulnerabilities include weak authentication, security misconfiguration, and excessive data exposure. A leaky API can be detrimental to organizations, exposing sensitive customer or company data.
Major API breaches, such as the Experian credit score breach, illustrate the damaging impact that vulnerable APIs can lead to. Additionally, many organizations are still trying to protect their APIs with traditional, perimeter-based security, and, as a result, they are failing to stop today’s increasingly sophisticated and severe cyberattacks. Protecting modern applications and APIs requires a modern approach to API access control.
What are some best practices for enterprises to proactively strengthen API security and mitigate privacy issues?
Needham: Proactively strengthening API security requires a "zero trust" approach, which means not all authenticated users are authorized to access all provided APIs. The challenge of zero trust means, for API access, organizations need to authorize every single data request, whether it’s an outside customer, partner, or another component of the application asking for the information. This approach means that data access is controlled north/south and east/west between services.
From there, enterprises need to be able to granularly control who has access to particular APIs and prevent unauthorized access to sensitive data. However, granular authorization management has traditionally been approached in a fragmented manner. In most organizations, authorization rules are decentralized and typically hard-coded by engineers for each application — a process that is inefficient and prone to human error, policy inconsistency, and operational blind spots.
Enterprise developers and IT teams must decouple identity and authorization from applications and APIs to enable declarative authorization policy as code. If organizations don’t have the time or bandwidth to take on this task internally, there are enterprise solutions that automate these processes. Decoupling identity and authorization provides enterprises with a simpler, more integrated cloud-native approach over traditional identity and access management (IAM). This method centralizes management and analytics in a way that orchestrates multiple authentications, authorization, and privacy components in one platform rather than having to use different solutions for each step in the process.
How does this approach allow development teams to roll out new applications and services quicker and more confidently?
Needham: In the past, application teams had to spend a lot of time creating one-off authorization frameworks and code. In today’s world, this is not only expensive but is getting even more costly as the authorization complexity grows. Analysts who follow this space often talk about organizations that start with a simple business-to-consumer (B2C) approach, but, with business-to-business (B2B) use cases, companies must enable partners and ecosystems as well, so the complexity is exponential. On top of that, it’s highly complex when layering in privacy laws where consumers need to consent to which data they agree to share with partners.
When enterprises have a policy-as-code layer to control API access and ensure security best practices, security teams have an easier time understanding and governing critical data controls and policies. As a result, it speeds up the time-to-market for new applications and services, so IT and the development teams have more time to focus on developing new innovative applications and projects that drive the business forward.