Your APIs Have No Clothes
The rapid move to a distributed workforce during the pandemic turbocharged cloud adoption and, as a result, exponentially expanded the attack surface. Today’s digital economy mostly consists of online applications in public or private clouds. They are all connected via APIs, increasing the number of access points attackers can use to gain unauthorized access to systems and networks. In fact, 83% of internet traffic is API-based, according to Akamai. And earlier this year, Gartner cited APIs as the most significant attack vector in 2022. In reality, most companies have significant exposure through their APIs, either ones they created or those they use that were created by others.
Increasingly, API security is reminiscent of the Hans Christian Anderson folktale The Emperor’s New Clothes. In the story, the emperor was exposed, but no one told him or was willing to do anything about it. APIs are the digital equivalent. Historically, they have not been a significant area of focus for security professionals. However, with the explosion of online applications connected with APIs and the attack surface they create, more focus is required due to the high risk represented. Monitoring and preventing attacks that use APIs as the initial attack vector is fundamental to reducing these exposures and better “clothing” your network.
Challenges of the Disappearing Perimeter
Most companies follow a set of security best practices, like making sure systems and applications are patched regularly and providing strong perimeter security and access controls. As distributed digital workforces have become the norm, organizations have recognized that the traditional perimeter no longer exists, requiring tightened access controls like multifactor authentication and multi-layer detection and response capabilities, looking for known and unknown threats that can bypass the perimeter.
This multi-layered approach includes adopting different tools that respond to new threats. New, purpose-built solutions for detecting and responding to API-specific threats are emerging, like those that collect API request-and-response data, analyze it and alert on threat indicators tied to the OWASP API Security Top 10. Those alerts can be forwarded to SIEM solutions that serve as the monitoring hub for most security operations teams. Typical threats might involve authentication violations and excessive data exposure.
The Cybersecurity Talent Gap Exacerbates Problems
The cybersecurity talent gap affects all industries and areas of security. Too often, security teams lack the capacity and/or expertise to address the basic security controls they already know they need to implement, not to mention threats to more complex architectures that use APIs.
The talent gap is not the cause of API security issues. However, it does exacerbate them in two ways. With security professionals scrambling just to manage the fundamentals, as they deal with more users, devices, data and threats, they typically do not have the cycles to get to API security. More automation can help, but there is also a lack of awareness and education about API security that factors in here, as well. API security is a relatively new focus area, and the speed at which it has become an issue outpaces people’s awareness of the problem. Even experienced security professionals may lack the awareness or the time to uplevel their skills in API security in response to the expanded attack surface that accelerated digital transformation has created.
Getting Back to Basics
It helps for security professionals to first get back to fundamentals and evaluate each layer as a unique attack surface. To do this, they need to think about the different stages of the threat life cycle, where a threat actor will enter and mitigate risk throughout the attack life cycle at the perimeter, inside the firewall and at the API level. While APIs are a unique attack surface, the security fundamentals remain the same; security teams just need to apply them in a new way.
Authentication
Security teams know that they need to authenticate users and devices before granting network access. They can apply the same fundamental security control to APIs. They can authenticate at the API level in several different ways, including:
- HTTP authentication where a user needs to provide an ID and password
- API keys that use a unique identifier for each API
- Tokens generated by an identity provider service
- Access limitations for authenticated users
Auditing and Logging
Just as security teams monitor abnormal user activity, they need to monitor traffic through their APIs to provide insight into API security as part of a multi-layered approach, including information tracking:
- Configurations
- Policy invocations
- Security check violation details
Encryption
REST APIs use HTTP, meaning that they use transport layer security (TLS) protocols to apply encryption when data is transferred. Similar to the way organizations encrypt data stored in their databases, they can mitigate risk at the API layer by using one-way TLS or mutual encryption with two-way TLS.
Dressing APIs for Security Success
APIs are a new fundamental technology layer that organizations need to secure. The proliferation of APIs connecting most applications combined with the accelerated adoption of remote work means that threat actors can and will use an API vulnerability as part of lateral movement within a system or network.
Organizations are exposed, just as the emperor was in the cautionary folktale. API security provides the necessary coverage to reduce this exposure and mitigate risk.
