In the digital economy, where data streams and customer centricity determine the business processes of companies, APIs occupy a crucial position. They provide access to relevant data, systems and software components. However, this also makes them an interesting target for hackers. Time for zero trust in APIs.
Hackers try to steal data such as names, account numbers, email and physical addresses by attacking APIs and API traffic. However, by their very nature, securing APIs and integrating them into a Zero Trust strategy presents various challenges for organizations that require a rethink in their approach to security.
Hackers like to attack APIs
"It's amazing how many drivers, even in Formula 1, think that the brakes are there to slow the car down." With this quip, racing driver Mario Andretti once pointed to the fact that brakes, beyond their obvious purpose, also are there to control the inclination and weight of a car and thus optimize cornering. Similarly, enforcing IT security policies should ideally refine the underlying processes rather than making them more complicated and thus more frustrating for users.
There are APIs wherever the user journey needs to be accelerated, simplified or improved: for example, to make credit card payments in digital ordering processes, or to carry out remote maintenance and device updates. According to the claim, security should be "on board" in application scenarios like these from the outset, but reality shows that hackers misuse APIs for their own purposes. This happens again and again due to inadequate authentication and authorization processes.
APIs without authentication in use
For example, last spring, Salt Security's API security experts discovered an API at John Deere, a company known for its tractors, among other things, that hackers could call to determine whether a certain username was in use. The experts automated a query routine that allowed them to determine within two minutes which of the Fortune 1000 companies had John Deere accounts because the API didn't require authentication or limit the number of queries. Around 20 percent of the companies had an account.
Another API endpoint made it possible to submit a vehicle identification number (VIN) and retrieve a large amount of metadata about the device, owner, and location. The hackers can easily obtain VINs from general auction sites. While the API required authentication, it failed to properly authorize the API request senders.
Zero trust along the API lifecycle
Apparently "Security by Design" as the basis for data protection in IT is difficult to implement with APIs. This can sometimes be due to the fact that the development processes of APIs are primarily based on business specifications and are organizationally decoupled from the processes in IT security. Different actors in companies develop and provide the APIs they need for their purpose. Or they take over the interfaces from other companies. The assumption that these APIs are connected to the network infrastructure and thus to the security structure surrounding them gives users a false sense of security. However, this is usually not enough to protect the data streams via APIs both outside and inside a company.
The latter in particular requires its own security measures. Because not every access that comes from your own infrastructure is automatically authorized. To truly and efficiently control requests, security technologies must also address people, processes, and access patterns. In addition, the principle always applies: Trust is good, control is better. Zero Trust therefore requires that each device and connection must authenticate itself each time it is contacted in order to gain authorized access. In order for this to succeed reliably with APIs as well, security measures are required along the entire life cycle of the interfaces. To prevent APIs from becoming security vulnerabilities, companies should follow these five basic rules:
- End-to-end authentication and authorization: The associated processes must not only take place directly at the API or the gateway. They have to be repeated in the underlying applications.
- Leverage Continuos Integration/Continuos Delivery processes: Developers should check how they can integrate security guidelines into their production cycles and which validation processes they can automate with CI/CD in the course of this.
- Implement automated security measures: Security ops teams should ensure that data exchanged in API communications is protected throughout transmission, both within the infrastructure and with other systems. To do this, the processes should automatically enforce policies, for example to protect data from access wherever it is located.
- Capture everything centrally: In order to better dovetail IT security and application development, it is essential to log and analyze all processes and, if necessary, check them for risks. The appropriate place for this is a central repository in which those responsible can trace all processes at any time.
- Cooperation with IT security: API development teams need to work with IT security officers. Together they can determine how effective the existing measures are for possible API security problems and expand them if necessary. They should also run through various data loss scenarios and develop an emergency plan. Under all circumstances, a shadow API must be avoided that only the departments using it know about.
Create transparency and exercise control
Security and data exchange can represent a contradiction, and this also and especially applies to APIs: On the one hand, companies use them to break up processes, open up their structures, simplify processes for users and expand their business model. On the other hand, they must not lose control of the data traffic at this point. In order to reconcile the two, companies need transparency. Everyone involved needs to be sure they know and reliably manage all the APIs they use.
API gateways can help them to automatically discover all APIs in the company and apply security policies. An effective API management solution monitors who is using which APIs and also alerts the manager to any unusual or suspicious behavior that could indicate an unauthorized person is at work. The respective departments are also involved in security. Combined with centralized API governance, organizations can embed security throughout an API's lifecycle and secure it against unauthorized communication tampering without compromising the user experience.
More at Axway.com
About Axway
Axway brings new momentum to existing IT infrastructures, helping more than 11.000 customers worldwide to build on what they already have and achieve digitization, new business opportunities and growth. The Amplify API Management Platform is the only open, independent platform for managing and governing APIs across teams, hybrid cloud and external solutions.