Identity’s Role in API Security
Digital identities play an important role in an organization’s security program. But the idea of “identity” in APIs can be complex, Jeff Williams, CTO and co-founder at Contrast Security, said in an email interview.
“People think of APIs as a way for two software applications to communicate,” Williams explained. For example, if a mobile phone application calls a company’s public web APIs, then the “identity” is simply the end user. But what if that public web API then makes requests to internal APIs or third-party external APIs? Where is the identity? Is it the end-user or the identity of the web API? Or both?
“This can become much more complex as the chain of APIs includes serverless functions and other APIs,” Williams continued. “In some cases, we should pass the ‘nested’ identity and in other cases not. But it is an important concept and organizations should define their identity strategy so that you don’t end up with chaos.”
Overall, identity is critical to the operation of APIs, and in turn, critical to API security. “There is no authorization or accountability without identity,” said Williams.” So it’s quite important to track not only the identity of the most recent hop in a transaction flow, but the originating identity and possibly other nested identities as well.”
Authentication and Authorization in API Security
Identity security relies on having the right sets of permissions to access applications within the infrastructure. So having proper authentication and authorization of access is critical to preventing API risks and data exfiltration, according to Michelle McLean, vice president of product marketing at Salt Security.
“If a malicious actor is able to gain access to a single API within an organization’s environment due to improper access controls, attackers can then elevate their privileges and get unintended permissions to manipulate and alter different APIs and API calls which can ultimately have detrimental consequences and be costly to bounce back,” said McLean. “If an API lacks adequate authentication and authorization controls, a hacker can exploit a real session ID to gain access to a user account.”
It’s easy to become over-reliant on identity as a security mechanism for APIs, and that over-reliance can create another layer of risk.
“While authentication and authorization rooted in identity is an important starting point, it’s not the full answer for protecting APIs,” said McLean. In fact, a majority of API attacks are propagated against authenticated endpoints and often by authenticated users.
The Role of Identity in API Security
Because identity is rather easy to manipulate, McLean pointed out, API security is evolving to rely on far more than identity.
“Combining identity with baselines of user behavior, big data analysis over time, and other forms of anomaly detection are crucial to effective API security,” McLean said. “Organizations should look to augment their identity access controls with additional, more robust protections including attack prevention, identification of sensitive data exposure, and remediation insights gleaned in runtime.”
At the same time, security teams are doing a better job at spreading the word that identity is not simply a username and password, and that realization will help clarify identity’s role in API security.
“Organizations should have a flexible definition of identity, with layers of confidence. Identity can include notions of location, behavior, technology and time,” said Williams.
For example, there’s a tendency to not question an identity because it is associated with a specific account or set of credentials, doing an activity they have done many times before and from a place they are typically located. But if that request comes from someplace new or at an odd time, it should be viewed with skepticism. Behavioral analytics tools are advantageous to API security surrounding identity in these cases.
“It’s critical for APIs to keep up with changing models of authentication and identity,” said Williams.
