The Rise of APIs and Risks of API Security
Some strange phrases have become cultural touchstones: “Hey, Siri,” “Hey, Alexa,” and “Hey, Google.” If you’ve ever uttered any of these phrases to ask for directions, play a song or find out the score of a game then you’ve used an API—an application programming interface—the backbone of our newly interconnected world. APIs allow programs to share information with each other to offer services, like in these examples. The rise of APIs has transformed online banking, travel booking websites and interoperability in health care, providing an automated way for programs and apps to retrieve and share data with one another and make end-user experiences seamless. Yet with that rise comes risks—the same risks that occur any time data is shared. And without the proper security standards in place, APIs can open the door and roll out the welcome mat for people who want to steal and misuse your data.
The Rise of APIs
According to the annual State of the Internet report from Akamai, more than 83% of all web traffic now comes from some form of API, showing just how widespread APIs have become. The rate of adoption is increasing exponentially, too: In 2021, overall API traffic grew by 321% according to a report from Salt Labs.
It’s not just a case of people and organizations simply following a trend, either. Research published by the Social Science Research Network (SSRN) in 2019 found that public firms which adopted externally-facing APIs grew an additional 38% over 16 years relative to non-adopters.
In other words, APIs help organizations grow—plain and simple. That makes sense in today’s economy. As this report puts it, “In the information age, the value of a firm rests fundamentally on how it stores, shares and processes information. Digital infrastructure is therefore central to a firm’s success. For platform businesses, which rely on creating an ecosystem of interactions and capturing a share of the resulting surplus, this truism holds especially strongly.”
Beyond externally-facing APIs used by consumers and clients, APIs are also making it easier to create applications and services within organizations and make work more efficient and reliable while reducing time and resources spent on tasks that could be handled automatically. By driving artificial intelligence, low-code and no-code environments, they’re also making it easier for anyone, programming skills or not, to develop ways for digital tools to work together.
The pros are using them, too. Almost nine out of every 10 developers are using APIs, according to Slashdata’s 19th Developer Economics Survey. A full 69% of developers reported they use third-party APIs and 20% say they use internal or private APIs. Creating an API so others can use your information or platform is almost expected.
The Risks of APIs
Of course, this rise in API use hasn’t gone unnoticed by those who try and figure out ways to steal and misuse data for malicious ends.
The Akamai State of the Internet report found that web application attacks tripled in 2021—a record high year—and more than 88% of those attacks used common API vulnerabilities.
A high-profile example of API misuse was the Facebook and Cambridge Analytica data scandal. Over the last decade, Cambridge Analytica harvested personal data of Facebook users without their consent and used that data to direct political campaigns.
But this wasn’t actually a case of a data breach or leak, per se. Cambridge Analytica used Facebook’s own API to collect the data and then used it to manipulate and influence content on users’ Facebook feeds.
The scandal highlights the fundamental security concern of APIs—the ability to collect and access data, even if it’s not supposed to be accessed or disseminated. So how do we protect against that?
Zero-Trust: Not Just for Humans
Preventing API hacks, misuse or abuse follows the same principles as preventing malicious human actors from accessing data. It’s called the principle of least privilege. Whether man or machine, no one or nothing should be able to access data beyond what’s needed to complete their primary function.
Enforcing least-privilege access means adopting a zero-trust methodology. Zero-trust principles are based on setting up a unified user directory, assigning access privileges only to the data and resources each user needs to perform their essential functions and no more, and then monitoring use while creating policies that automatically manage and secure your data and resources.
In a zero-trust framework, that means treating APIs the same way you would human users in your system. They need to be accounted for within your user directory so that access levels can be managed and monitored, ensuring that APIs don’t have access to data they don’t need to perform their function and that they can’t serve as an unintentional backdoor to other data within your network.
With your APIs established in your user directory, you can apply zero-trust methods like context- and risk-based policies to automatically prevent APIs from operating in a way that threatens the integrity of your network. And when APIs are replaced, the zero-trust methodology makes offboarding and revoking access as easy for APIs as it is for human users, eliminating any vulnerabilities to your data.
As long as API deployment continues to rise, hackers and malicious actors will poke and prod, finding every weak point they can exploit. Preventing this starts with properly building the APIs themselves, but true protection means ongoing management and monitoring. If your organization’s value fundamentally rests on how you store, share and process information, the surest answer to retaining that value is building out a zero-trust framework for your organization.
