#HowTo: Effectively Manage and Secure APIs

From booking flights to ordering a takeaway from a delivery app, most of today's on-demand services we rely on are driven by application programming interfaces (APIs). They’re the invisible connective tissue between applications and data sources, giving us greater and more convenient access to digital services.

APIs are essential to modern IT innovation and digital transformation – already 70% of web traffic is web APIs. Unfortunately, wherever consumers go, hackers are never far behind. Gartner predicted that by 2022, APIs would be the most frequently attacked enterprise web application vector. But why are APIs such a target for cyber-criminals? And how can enterprises protect themselves against the coming onslaught? 

Why are APIs a Prime Target for Hackers?

One of the most powerful – and therefore risky – characteristics of APIs is that they often exchange data, some sensitive, as part of a service. Therefore, it can become a vector for data exfiltration as they are, in effect, a highway straight to an organization’s most valuable information. For many businesses, APIs can become under-protected risk surfaces, exposing data to application-level attacks against which conventional security defenses are not very effective.

The problem is, without knowing what data the API is accessing, how it’s been accessed or who is accessing it, organizations are woefully unprepared for the wave of data breaches that will result from misconfigured and vulnerable APIs in the next 12 to 24 months. Therefore, API security has grown beyond an application security issue – it is now inherently a data security threat. To put it into context, the last few years have seen dozens of high-profile data breaches originating from API security-related incidents, resulting in data leakage, data scraping, access exposure, illicit end-user tracking, account takeover and more. 

 This problem has been exacerbated by the phenomenal growth in the number of APIs being used, dramatically increasing the strain being put on security teams. The average enterprise now has thousands of APIs to inventory and manage. Yet, most don’t have the capacity to monitor and defend all these pathways from the external world to their critical customer data and applications. At the same time, implementing API security creates friction for development teams as it requires changes to development, which can slow the pace of innovation. 

In addition, many of today’s existing API discovery efforts are narrowly focused on monitoring the endpoint, but that’s not enough to stop the volume of breaches that will grow due to misconfigured or vulnerable APIs. Instead, organizations need to look deeper – into the payload and the data the API is accessing. By taking a data-centric approach, organizations will be able to harden their applications and protect themselves from the next mega breach.

API = Business Critical

So how can organizations secure their APIs? The first step is accepting that APIs need the same level of protection as business-critical web applications. Therefore, organizations should look to:

  • Prioritize visibility into the growing API ecosystem: Identifying all APIs within the enterprise and having visibility into all traffic accessing them. Protecting APIs should be a direct extension of an organization’s strategy for securing sensitive data.
  • Apply automation and machine learning to assess API behaviors: This should preferably occur early in the development and testing stage. Evaluating against risk-based policies and determining appropriate actions for mitigating the threats is crucial. In particular, this should include data exchange patterns so that runtime protection can be enabled based on an always up-to-date baseline of behavior.
  • Understand end users to ensure authentication and authorization: Determining end users’ identity and what they need access to is key to securing APIs and implementing authentication. APIs should be built and tested to prevent users from accessing API functions or operations outside their predefined role. For example, a read-only API client shouldn’t be allowed to access an endpoint providing admin functionality.
  • Enable API governance: Gaining visibility beyond the API endpoint and into each API’s underlying payload will help business leaders in highly regulated industries enforce a governance model and stop a potential data breach.

APIs underpin our digital economy, enabling businesses to innovate with speed and consumers to reap the benefits of their services. These ecosystems will only continue to grow as organizations use them to connect everything from mobile applications and IoT devices, to containers and serverless functions, to the underlying data layer. However, like anything that increases the speed of business, it creates security gaps that, if left unprotected, could pose serious threats. Therefore, API security needs to be seen as a critical dimension of a data security strategy.

What’s Hot on Infosecurity Magazine?