Adopting Zero-Trust for API Security
Zero-trust architecture is being adopted across all assets within network infrastructure—data, cloud, applications. And now, more frequently, developers are seeing zero-trust as a useful security approach for APIs. That’s because APIs are becoming a more frequent attack target, in part because they tend to be less mature in their identity and access protections while transmitting large amounts of sensitive data and because almost every organization has them.
“Zero-trust can be applied to API security to make sure that API’s are constructed in ways that allow for a robust security model to be applied easily and effectively, so API users only have access to what they need,” said Kevin Dunne, president at Pathlock, in an email interview.
Why Use Zero-Trust for API Security
Think of APIs as the new network; interconnected in complex ways and with API interactions happening both within and outside of the organization.
“Public-facing APIs—for example, consumer banking—are usually a key area of focus when it comes to zero-trust,” said Dunne. “This is due to the obvious risk exposure when APIs are documented and made available on the public internet.”
However, the larger risk is found in private and internal APIs, because there is a common assumption that since they aren’t documented or found on a public network, they aren’t exposed.
But as threat actors become more sophisticated in their search for and discovery of private APIs, there is increased risk of the bad guys gaining access to massive amounts of sensitive data. Private APIs need the same layers of protection as public-facing APIs.
“APIs are, by definition, atomic in nature—meaning they can be invoked independently,” explained Setu Kulkarni, vice president, strategy at NTT Application Security in an email interview. “That creates a real challenge for securing these APIs.”
Given that, Kulkarni added, a critical consideration for implementing zero-trust in APIs is to ensure that there is appropriate access control built into the API implementation. Every API function call requires not just authentication but also authorization. Also, adding zero-trust around session validation helps to prevent unintended data leakage.
Integrating Zero-Trust in APIs
The most scalable way to implement zero-trust into the application layer is to implement and adopt secure design patterns that make the adoption of zero-trust simpler and cheaper, said Kulkarni.
While there is no one true way to implement zero-trust in APIs, one popular approach is designed around a central authentication service.
“This setup can validate access tokens that are sent with every request—with the API then deciding if or how to grant access to a requested action or resource,” said Yehuda Rosen, senior software engineer at nVisium, via email. However, this introduces new complexities and challenges, such as the need to build and maintain the new security service, as well as handling the access control lists across a potentially widespread number of components and applications within a microservices environment.
And, Rosen noted, zero-trust won’t work universally across APIs. Managing security for the auth service is not able to act alone as a fully zero-trust application.
Zero-Trust’s Impact on API Security
Because APIs are more like applications and act as a function of business operations and not just another technological element, zero-trust should make a real impact on overall API security. But for it to be most effective, Dunne said to remember that zero-trust at the application layer will be similar in approach to API security, with the following steps needed:
• Know what applications exist, who has access and what access they have
• Redesign roles and remove entitlements from users to remove unnecessary access
• Continually enforce the least-privilege model to ensure risk is minimized
“APIs are the future of applications and the largest unprotected vector for mass data export,” Dunne said. “Securing them will be critical for organizations to ensure the data they manage is protected from cyberattacks.”
