Building Zero-Trust Into API Security
As APIs are increasingly used in app development, it should come as no surprise that threat actors have turned them into attack vectors. In fact, Gartner predicted that APIs would become the top attack vector in 2022, stating, “Unmanaged and unsecured APIs are easy targets for attacks, increasing vulnerability to security and privacy incidents.”
Other studies verified that the growing popularity of APIs is correlated with not only greater security risks but risks that are more difficult to mitigate. A Forrester report pointed out that traditional perimeter security cannot stop API attacks.
The solution to the API security problem, many believe, lies in a zero-trust approach; in fact, any zero-trust model needs to include protection of APIs to be successful.
The Relationship Between APIs and Zero-Trust
Zero-trust is a principled approach to removing assumptions of trustworthiness from any communication between any two resources (computers, a computer and a file, an app and a cloud, a user and an API, etc.).
“Zero-trust principles include dynamic authorization and authentication, monitoring security posture and changes, securing communications between resources and making access decisions that are granular and temporary. A zero-trust approach means doing this all the time to all the things,” said Sammy Migues, principal scientist at Synopsys Software Integrity Group.
However, zero-trust requires all users to be authenticated, authorized and continuously validated for access to certain apps and data, explained Nick Rago, field CTO at Salt Security, in an email interview.
The problem in an API-first development world is that many of those apps and the data behind them are exposed through the use of an API.
“While the principles of zero-trust still apply to APIs and the infrastructure that serves them, APIs present some unique challenges,” said Rago. Many API risks can’t be mitigated by zero-trust due to the fact that APIs require continuous access to function.”
This requires organizations go beyond the typical zero-trust principles of authentication and authorization. Organizations must complement existing zero-trust efforts with API security-specific technologies and controls to adequately protect their potential attack surfaces.
Building Zero-Trust in API Security Through Microsegmentation
API security is the result of good design, development, secrets management, authentication, authorization, traffic control and more, said Migues, which means that APIs are well suited to benefit from a zero-trust approach. But that doesn’t just happen. Zero-trust has to be built deliberately and carefully into API security solutions.
This can be done by looking at the correlation between the microsegmentation of an organization’s network and zero-trust initiatives.
“In today’s network, segmentation of servers and applications based on IP addresses and ports, is simply insufficient,” explained John Yun, vice president, product strategy at ColorTokens, in an email interview. “The increased use of containers and microservices, not to mention the ephemeral nature of cloud services, require flexible and granular levels of control.”
As Yun sees it, the challenge is understanding how to best expand the microsegmentation component of zero-trust to encompass APIs.
“Organizations cannot approach microsegmentation as a point product solution but rather a unified approach,” Yun said.
By adopting a unified microsegmentation approach, organizations can begin to move away from segmenting IP addresses and ports to segmenting applications and enforcing valid communications that encompass a wide range of environments from on-premises, hybrid and cloud as well as containers and microservices.
“With a unified microsegmentation approach or solution,” Yun added, “deployment details such as the need for agents or agentless approach becomes a flexible choice driven by business needs, not a barrier and potential security gap.”
Transitioning API Security to Zero-Trust Models
To apply zero-trust principles to APIs, organizations must first conduct a complete inventory of their APIs.
“If you don’t know the API or endpoint exists, its purpose, the type of data it handles or its existing security posture, you can’t apply the necessary security controls to it. This lack of visibility or governance opens the doors to breaches,” said Rago.
Once an inventory of APIs is done, organizations should then enable proper API runtime protection to continually validate an authorized user’s access and behavior against API resources.
“Because many API attacks use the API as it was designed but abuse its functionality, runtime protection should be implemented alongside any zero-trust strategy. Bad actors know that if they can obtain an authorized user’s keys or credentials, they can exfiltrate valuable data,” Rago said.
Effective API security is the result of good design, development, secrets management, authentication, authorization, traffic control, and more. APIs can benefit from a zero trust approach. It provides valuable coverage to a fast-growing attack vector. Using a zero trust model offers protection where traditional perimeter security falls short.
