Securing APIs with zero trust

Karl Mattson, Group CISO at Noname Security, outlines why a zero trust approach is essential to mitigate the threat of unsecured APIs.

With the move to hybrid working, the rapid adoption of cloud, increased use of mobile and IoT devices, combined with the ongoing drive to modernise and transform IT operations, the attack surface of every organisation has – and continues to – expand.

Traditional boundaries have been blurred between businesses, suppliers, partners, customers, workers, and even home-life, with this ecosystem continuing to grow. Here, APIs are providing the connective tissue for modern applications and legacy infrastructure to co-exist.

However, this means that the API attack surface is also rapidly expanding. A 2023 Gartner report signalled that 50% of enterprise APIs will be unmanaged by 2025, leading to significant gaps in visibility – and security – of active, legacy, shadow, and dormant APIs. As a result, Gartner has also predicted that more than 50% of data theft will be due to unsecured APIs by next year.

Therefore, the security technologies organisations employ must reflect this complex threat landscape by bringing all security functionalities together through a single pane of glass, helping to proactively protect businesses from API attacks.

Organisations must also look to close any security gaps quickly and secure their APIs throughout every phase of the software development lifecycle (SDLC). To achieve this level of control, particularly around APIs, many organisations have started to adopt a Zero Trust approach to API security.

Eliminating implicit trust

For those less familiar, Zero Trust has emerged as the framework of choice for organisations establishing a set of more robust security controls. Organisations that adopt Zero Trust principles assume every connection, device, and user is a potential cybersecurity threat. By eliminating implicit trust, the Zero Trust model advocates for a security approach in which nobody and no asset is inherently deemed safe, regardless of role or responsibility.

This approach is essential for organisations relying on APIs to exchange data and services with partners and customers. A Zero Trust strategy ensures that those API interactions are secure, even when the devices and users involved are not known or trusted.

The Zero Trust mantra of “never trust, always verify” works on the principle of least privilege. This means that users are only given the absolute bare minimum permissions needed to perform their function, and if any additional permissions are needed, they are provided for the shortest amount of time possible. The other key principle is around explicit verification. Authorisation should be undertaken with the greatest amount of data points and there should be no granting of permissions based on trust in a zero trust system.

APIs inherently trust by design

Zero trust security offers a new way of securing access and IT leaders are embracing it. In a recent study, organisations with a mature zero trust implementation scored 30% higher in security resiliency than organisations without a zero trust strategy.

However, with APIs facilitating the transmission of data and services within a ‘trust by design’ framework, they could expose the inner workings of an organisation to bad actors. Likewise, they enable access to other applications and data that puts the organisation at risk, particularly around data theft, denial of service (DoS) and ransomware attacks.

Only 40% of security professionals have API visibility

Unfortunately, many organisations do not have a full inventory of APIs and comprehensive visibility into which return sensitive data – a significant risk to organisational security. Our recent API Security Disconnect research showed that while nearly three-quarters (72%) of cybersecurity professionals have full API inventories, only 40% have visibility into which return sensitive data. This is one of the key reasons they need a dedicated discovery solution to accurately catalogue and monitor the APIs they have.

Outside of having full visibility, combating the daily onslaught of attacks is a complex task. Each API has multiple functions, with each communicating with numerous applications and data sets – as well as a myriad of internal applications that utilise several of their own internal microservices. Gartner suggests that, through 2025, 70% of organisations will deploy specialised runtime protection only for public-facing APIs, leaving others unmonitored and lacking protection.

This is where zero trust policies allow applications via their APIs to communicate only with other applications and data that are essential. By implementing least privilege access policies, integrating security testing into CI/CD processes and utilising discovery tools to reduce API sprawl, organisations will have a legitimate defence against malicious actors in pursuit of sensitive data.

Implementing an API security platform that integrates zero trust policies

To achieve this, organisations need an API security platform that integrates zero trust policies and can also:

  • Leverage AI to autonomously evaluate API activity to identify anomalous or high-risk security events and adapt responses accordingly.
  • Be contextually aware to identify and assess risk, and enable rapid remediation.
  • Provide tools, capabilities, and technologies to support the zero trust approach to security and integrate with the existing security stack and tools.
  • Support a modern and flexible deployment without sacrificing reliability and resilience.
  • Integrate with the SDLC for APIs to prevent new vulnerabilities being pushed into production.
  • Test APIs with context for finding business logic flaws, and has blocking capabilities.

Taking an innovative approach to API security

Proactively responding to today’s expanding attack surface requires a purpose-built and innovative approach to API security. Organisations need to seek out zero trust API security solutions that provide comprehensive API security with automated detection, analysis, testing and remediation.

Zero trust API security provides a proactive and robust approach to safeguarding APIs against potential vulnerabilities and unauthorised access. By treating every API request as untrusted, it significantly reduces the risk of potential data breaches, protecting sensitive information. This gives organisations the confidence that they have measures in place to plug the security gaps that APIs can create in an organisation’s security posture.

Related Articles

Top Stories