APIs have become the basic building block of business. It’s how companies share data with partners and engage their customers, and it’s the foundational element for any corporation undergoing digital transformation.
APIs have become the critical component for exchanging data between all types of entities.
- Business partners
- Other services/APIs
- Smart devices/things
APIs provide the intercommunication layer to exchange the sensitive data that drives business, and they have become so critical to our digital infrastructure that governments domestic and abroad are disrupting the status quo to force their usage across industries.
- The financial industry: OpenBanking/PSD2
- Utilities: OpenUtil
- Telecommunications: TM OpenAPI Initiative
In addition, APIs provide the communication layer between the applications, microservices, and functions that your developers are creating.
The Importance of API Security
With all that sensitive and regulated data passing through APIs to interconnect the digital entities that consume your services – both inside and outside your hybrid-cloud perimeters – one could rightfully assume that API security is of the utmost concern.
API breaches have become the hallmark of 2018 security breaches, and Gartner predicts they’ll become the number one application attack vector by 2021. This is partially due to the dissolving perimeter (unfettered access to your APIs and services) and partially due to a massive increase in API usage inside and outside the business. If you believe your API gateway or OAuth-based IDP is giving you API security…. think again. API gateways were designed as API management tools — critical components of infrastructure that manage the lifecycle of APIs and provide only a modicum of security through features like rate limiting or traffic routing rules.
API Security Gaps
Here at Cloudentity, we wanted to give you a quick synopsis of the security gaps in your API gateway.
What APIs is the organization exposing? What clients are requesting them? How are those clients authenticated? What data is being served? These are critical questions that most CISOs don’t have insight into.
API gateways only look at incoming requests and miss most of the OWASP top 10 threats. Analysis is only performed on the incoming transaction — there is no inspection of the API service response, leaving gaping security holes for data exfiltration.
Policies and developer portals allow the sharing of credentials (OAuth tokens, API keys, etc.) instead of requiring every instance of every service to authenticate.
Authentication and Account Takeover (ATO) Attacks
Multi-factor authentication (MFA) is no longer enough. Man-in-the-middle attacks have automated ATO for both password- and MFA-protected accounts. Visibility, fully authenticated Zero Trust Ecosystems, and intelligent authentication/authorization protect against bots, man-in-the-middle attacks, and other threats.
Distributed Denial-of-Service (DDOS) Attacks
DOS attacks don’t necessarily have to leverage huge numbers of bots or clients. They can be as simple as locking out accounts through invalid authentication attempts or requesting high processing time transactions. Ensuring an API’s requestor is allowed to make the request before the request is processed is key to protecting against DDOS attacks.
Multi-Step Transactional Awareness
Applications are no longer written as giant monolithic java/.net behemoths sitting in a singular datacenter behind a defined perimeter. They are crafted as functions, microservices, and external services across multiple clouds, and they use APIs to intercommunicate. The typical perimeter-based approach to security is no longer valid.
60 percent of web traffic is bot generated, and that number is growing. Bots are scraping data, compromising accounts, and wreaking havoc inside and outside of the perimeter. The problem is that some bots are good and some are malicious. You need to determine the differences between those two and provide an effective policy to stop bad bots while properly authenticating and authorizing the good bots.
Authorization might be the most broken facet in cybersecurity. It’s very brittle and managed at dozens of locations in an enterprise — the firewall, load balancer, IAM, MDM, API GW, and in the application. You need to singularize its location and provide the governance on what policies are in place and where.
An audit in the security realm means digitally signed logs at every step of the transaction outside of the application itself. In more literal terms, that means creating an audit at each step of your hybrid cloud and microservices infrastructure with details of who, what, where, why, and when.
Invest in Security with Cloudentity’s API MicroPerimeter™
Cloudentity is proud to announce the release of the API MicroPerimeter. It signals a fundamental change in the way the industry secures all types of APIs – public, private, and anonymous – through the power of entity identity and risk-based, adaptive authentication/authorization.
What Is API Security?
What APIs are being used and what services are consuming them? Choose an Authentication/TLS-Secret Key assignment that defines how the APIs and services (users, services, things) consuming them are being Authenticated (mTLS, HMAC, OAUTH, service fingerprint). In addition, each instance of a requestor service needs its own authentication key to build the zero-trust ecosystem.
Are the APIs being accessed as defined in the API contract? Avoiding parameter stuffing, OWASP top tens, etc.?
What data types are in the API request and response?
Authorization level 1. Zero-Trust Network: Whitelisting/micro-segmentation.
Authorization level 2. Add zero-trust requestor and zero-trust devices including known risk context (RBAC/RADAC).
Authorization level 3. PII data subscription, including what PII data the service/microservice can access (PBAC).
Authorization level 4. Requestor consent/permissions: Know the permissions/consent the requestor has granted to the API/service/microservice.
Choose a digitally signed audit that is captured and published out-of-band.
Explore a graphical interface used to display the prior 9 points.
ML for behavioral profiling of client API usage, comparison of classification types to Authorization levels, etc.
API Security Terms
Now, let’s unpack a few terms.
Identity isn’t just for partners/consumers/employees anymore. In a cloud-hybrid world, the identity of machines, services, things, and even data must all become part of the identity ecosystem. These entities are the elements within a typical transaction.
For example, take a typical transaction of accessing Facebook from your mobile app. The transaction is a service making a request on behalf of a user, utilizing a smart device over an API. Each of these entities requires its own identity, and each entity must conform to the four As of identity: attestation, authentication, authorization, and audit.
Intelligent Authentication & Authorization
Authentication and authorization (Auth) has been broken for the past few decades. Auth is managed everywhere — at the firewall, the load balancers, the API gateway, the IAM platform, and the application itself. None of these platforms communicate with the others, so a unified view of Auth on an entity basis is impossible. Auth is also very brittle, with only a binary option of yes/no at the time of execution.
Cloudentity sought to fix Auth by abandoning the overly regimented authentication/authorization executions of yesteryear and bringing them into the modern next generation access control (NGAC) era. In this realm, Auth becomes intelligent and distributed, with non-binary authorization responses that can mitigate transactional risk during the transaction, and distributed policy decisions made at the service/API/microservice itself.
API Security for Developers
Developers are building APIs for internal- and external-facing applications as they quickly roll out new services. OWASP provides detailed guides for building foundational security within your API-centric app that require investing hundreds of hours into the application development process for identity- and security-related features. Cloudentity’s MicroPerimeter for APIs, containers, and Kubernetes abstracts those responsibilities from the developer, leading to a 30 percent reduction in code required, an externalization of security from the application, and faster time to market.
API Security for DevOps
DevOps is all about speed and agility, and on the tip of every DevOps engineer’s tongue is a question or suggestion on how to add security into that increased velocity. Cloudentity adds the shift left capabilities engineers require to bring security to the forefront of the CI/CD process.
Cloudentity’s MicroPerimeter drastically reduces the work required by the DevOps team as they move applications into containers, serverless functions, Kuberenetes, and service meshes. Cloudentity creates a low-latency security plane for intra-service communication, inspecting and applying intelligent security policies that resolve the complexities of API security, micro-segmentation, service identity, dynamic authorization, and customer permissions/consent, all by inserting two lines into the services YAML file.
API Security for Security Practitioners
Zero trust is the calling card for security practitioners with a myriad of companies claiming they can do zero trust for users, zero trust for devices, zero trust for networks, and zero trust for data. Cloudentity takes the security tools you’re currently using and integrates them into our distributed intelligent authorization engine, utilizing the Gartner-based continuous adaptive risk and threat assessment (CARTA) to create a zero-trust ecosystem.
Risk and trust become the determining factor for authorization based on what’s present in the transaction: user, service, thing, data. This creates the visibility of East/West intra-service traffic and in-depth defense for APIs, microservices, and functions in a singular place, with default adherence to corporate security policies through the CI/CD process.
API Security for Identity and Access Management (IAM)
APIs must be at the center of your identity strategy. All the common identity protocols – OIDC, Oauth, and SCIM – are APIs, and every one of them requires not just security, but also the usage of entity identity within the transaction.
Interested in investing in API security? Contact Cloudentity, and let us show you how easy it can be.