A False Assumption of Trust in Business APIs
Digital business is driving significant levels of growth and effectiveness for companies in a way that is becoming a have and have-not differentiator for success and even survival. Unfortunately, the drive to develop and deliver new revenue opportunities means that cybersecurity is always playing catch-up. Today, companies are opening up core parts of their business that were previously out of reach of bad actors. Not long ago, this was unthinkable. Companies wanted to staunchly defend these resources and keep outsiders away from them. Now, using APIs, companies are connecting core business systems with partners, suppliers and customers. By making these connections, companies can provide better or faster services, bring about new levels of visibility or collaboration, and achieve greater efficiency and effectiveness. Economic, competitive and business imperatives outweigh the risks, at least as they are commonly understood, or, rather, misunderstood.
API Risks and Trust
This access, typically through machine-to-machine interaction using business APIs, is carefully granted with an assumption of trust. Used properly, these connections ensure productivity and growth. At the same time, these APIs open the door to theft and fraud surpassing anything previously encountered. Many companies do not consider these risks a possibility, as the kind of fraud and misuse is relatively new and, as of yet, not knowingly experienced. As a result, current levels of trust are unfounded and based on false assumptions.
The misplaced trust is based mainly on two faulty assumptions. First, because access to APIs is generally carefully managed, requiring evolving rules of governance and using industry-standard identity management, access controls and authentication, companies believe API usage will be limited to those legitimate, validated people prescribed by the business. They believe these people can be trusted and that their access will be secured.
Business APIs and Intended Purpose
Second, organizations believe that business APIs will only be used for the purpose intended and either cannot or will not be used in another way. Companies expect that an API designed for providing customer order status or shipping details could not possibly be used for something else, such as stealing details about customers or placing fraudulent orders. Trust in an API’s usage is based upon a combination of inherent technical parameters and design—it can only be used in a certain way—and relies on the ethical integrity of the third party. Facebook’s trust in Cambridge Analytica is a good example of unwarranted trust in the use of APIs.
The problem runs even deeper. Most organizations only know about a portion of the APIs they have in use. Company departments and even individual employees, unbeknownst to IT security teams, can bring on new apps or agree to integrations between company applications from a third party. Of the known APIs, only a fraction are understood in terms of what they do, who can use them, and what normal interactions or traffic looks like. Documentation for business APIs often does not exist or is appallingly scant. APIs can change without warning through unannounced updates or revisions. Of course, one of the oldest security maxims is that one cannot secure what one cannot see. This is certainly the case with protecting API usage. Companies are unaware of the existence of many and know even less about how they operate and have no way to assess what behavior happens within them.
Known Business APIs are Largely Unmonitored
Even known business APIs are largely unmonitored and ungoverned since companies lack visibility and have no means to assess behaviors. Bad actors can use these APIs to abuse and manipulate core systems with a high rate of success. Most analysts agree that business-to-business APIs (aka B2B APIs) will become the top security threat within a short period of time.
There is no putting the genie back in the bottle—APIs are here to stay, and for good reason. Security or compliance teams cannot be crying wolf or the sky is falling and hope to shut down their use. Instead, security can step up as a digital business enabler to manage the enormous potential risk by putting in place a system and procedures that discover and monitor all APIs, automatically assess behaviors within them and respond to meaningful abnormalities. Digital business does require trust, but it does not have to be blind.
