Why the future of APIs must include zero trust
Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
It’s the digital pandemic no one is talking about because it’s challenging to quantify, contain and can defeat the best current cybersecurity defenses enterprise have. API attacks rose 681% in the past 12 months, compared to a 321% increase in overall API traffic. Malicious API calls rose from a monthly per-customer average of 2.73 million in December 2020 to 21.32 million in December 2021, according to Salt’s State of API Security Q1, 2022 Report. Salt’s customers have Web Application Firewalls, and nearly all, have API gateways and API attacks are bypassing these controls.
The meteoric rise of API attacks is also stifling innovation. For example, 62% of enterprises admit to having delayed new product introductions and application rollouts because of API security concerns. In addition, 95% of devops leaders and teams say they have suffered an API security incident in the last twelve months. One in three devops organizations says their companies lack any API security strategy, despite running APIs in production. According to Gartner, API breach growth will accelerate and double by 2024. Client inquiry volume related to APIs increased steadily from 2019 to 2021, at an average increase of 33% year over year.
Getting API sprawl under control
Devops leaders are pressured to deliver digital transformation projects on time and under budget while developing and fine-tuning APIs at the same time. Unfortunately, API management and security are an afterthought when the devops teams rush to finish projects on deadline. As a result, API sprawl happens fast, multiplying when all devops teams in an enterprise don’t have the API Management tools and security they need.
More devops teams require a solid, scalable methodology to limit API sprawl and provide the least privileged access to them. In addition, devops teams need to move API management to a zero-trust framework to help reduce the skyrocketing number of breaches happening today.
The recent webinar sponsored by Cequence Security and Forrester, Six Stages Required for API Protection, hosted by Ameya Talwalkar, founder and CEO and guest speaker Sandy Carielli, Principal Analyst at Forrester, provide valuable insights into how devops teams can protect APIs. In addition, their discussion highlights how devops teams can improve API management and security.
“In the largest organizations, you’re dealing with hundreds of applications with APIs that expand and soon you’re dealing with tens of thousands or hundreds of thousands of APIs. So, the management and tracking of them become much harder and you still need all these different pieces to protect them,” Sandy Carielli, principal analyst at Forrester, said during the webinar.
Cequence Security’s approach to solving the challenges of API protection starts with Discovery or identifying all public-facing APIs first and progresses to inventory, compliance, detection, prevention and detection.
“I will tell you that when I first started getting calls about API security, you know what question number one almost always was, or problem number one always was was that discovery piece,” Sandy Carielli, principal analyst at Forrester said during the webinar.
Inferred from the webinar is the need for APIs to be managed as the vulnerable, unprotected open threat surfaces they are. Cybercriminals know how unprotected APIs are, sending the attack rates into triple-digit growth rates. APIs need to be managed using a zero-trust framework.
API threat surfaces need zero trust
API breaches at Capital One, JustDial, Venmo, Panera Bread, T-Mobile, the United States Postal Service and others illustrate that thousands of APIs are left unprotected and are one of cybercriminals’ favorite attack surfaces. APIs need the least privileged access and be managed using a more microsegmentation-based approach. These two elements of zero trust combined with an Identity and Access Management (IAM) framework to organize APIs will reduce the number of rogue and lost APIs all enterprises are having trouble tracking today. Additionally, applying least privilege, microsegmentation and IAM will reduce the number of endpoints used for internal tests left open that can access APIs.
API lifecycles need to be built on zero trust
Security doesn’t need to be a constraint on devops anymore. Having zero trust engrained into API lifecycles starts by not trusting client-supplied data and having a default deny process to remove all implicit trust. Devops leaders need to build authentication into every phase of API lifecycles. The goal needs to be to design explicit trust into every API development and deployment project or initiative.
Getting API governance right with zero trust
Devops leaders and their teams need help balancing their businesses’ ever-increasing needs for APIs to support new digital transformation projects versus the need to stay in compliance. Given the pressure to produce APIs so fast, devops teams accelerate business benefits first and attempt to catch up on compliance, security and privacy as development schedules allow. There has to be a shift to API-level trust, with security context defined for each type of API produced.
Strengthening CI/CD and SDLC with zero trust
Attacks on source code supply chains clarify that zero trust must be core to continuous integration/continuous delivery (CI/CD) and SDLC devops frameworks and processes. SolarWinds-level attacks that successfully change core executables of an application and then infect an entire supply chain are making zero trust an urgent issue for devops teams to deal with today. Security stops being a roadblock to getting code out when it’s designed into the SDLC. SDLC cycles would also run faster because security would cease to be a bolt-on process pushed to the end of a project, improving governance simultaneously.
API security is too important to be a bolt-on
Devops team leaders rush through release cycles for their APIs to get large-scale digital transformation projects out, often seeing security as a roadblock to getting work done. Security checks and audits on APIs aren’t often finished, only completed at the cursory level. Everyone on the devops teams is pressured to meet or beat code release dates. API security becomes the bolt-on process no one has the time to deal with, contributing to API sprawl.
When zero trust becomes a design goal for APIs and devops processes, security gets designed and strengthened throughout the SDLC. In addition, IAM and microsegmentation will drastically improve inventory accuracy, reducing the threat of rogue or forgotten APIs bringing an entire platform or company down with a cyberattack.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.