By Mourad Jaakou, General Manager Amplify at Axway
Back in 2010, API Evangelist blogger Kin Lane posited that application programming interfaces (APIs) are driving the Internet and our economy. A decade later, we are seeing the prescience of that statement everywhere. From users to bots and applications, to a myriad of cloud services, everyone is leveraging APIs to implement a wide and growing range of functionality to serve our modern digital infrastructure.
But the rise of APIs and the benefits they provide also brings with it the risk of data exposure, which can jeopardize business continuity and user trust. Consider how an issue involving the ODdata API on the Microsoft Power Apps portal compromised sensitive data from large U.S. companies and various government agencies in summer of 2021. In addition, the IBM Security X-Force Cloud Threat Landscape 2021 report suggests that APIs would be involved in two-thirds of the cybersecurity incidents examined.
Meanwhile, in the era of digital transformation and API development, Zero-Trust Architecture (ZTA) has emerged as a critical approach to maintaining the security of enterprise infrastructure. The Cybersecurity Executive Order signed by President Biden last year required this type of “Zero Trust” architecture within some jurisdictions. As a result of the executive order, many companies have also included the implementation of this type of architecture in their roadmap. In this context, the combination of API-based technologies and ZTA could be decisive in the fight against relentless cyberattacks.
Addressing API vulnerabilities
Until now, organizations have often approached security by placing their trusted infrastructure and applications within a defined perimeter, with a key priority of protecting the company’s assets and networks from unauthorized external access. Unfortunately, just because the hosts that share a trust zone are nominally protected from hackers outside the enterprise does not mean they are sufficiently protected from each other.
In fact, systems were left at greater risk of attack as intruders posed as internal users to breach perimeter security and then move freely across the network. A hacker could then access the victim’s internal resources and steal information. The perimeter is no longer an effective barrier to intrusion, whether it’s due to resources being increasingly moved to the cloud or the widespread use of telecommuting.
APIs are major entry points into systems and will continue to be key elements of data access management. But their usual defense mechanism – the use of API keys to limit access to a certain API – has shown its limitations, particularly because the keys can be stolen or are already in circulation. This weakness, now identified, makes it more difficult to validate the true identity of the caller when submitting an API.
Reduce the security perimeter to protect individual assets
To ensure enterprise security, strong authentication techniques and ensuring proper API configuration have become essential. And the ZTA approach can provide just that extra layer of protection.
However, it is critical to remember that a ZTA is not a standalone IT infrastructure architecture. It is an approach that recognizes that attacks can come from both inside and outside the network and, therefore, no one can be trusted, not even bots.
The “Zero Trust” approach includes a set of best practices to strengthen security through more sophisticated protection of corporate assets. For science fiction fans, you could think of it as force fields around each asset: in this case, it makes more sense to consider individual protection than to try to protect the whole spaceship.
Accessibility must remain an essential consideration
Implementing a ZTA infrastructure means that internal and external entities are treated the same. Neither can access resources until they have been validated and have proven to be who they say they are, according to the company’s rules. This rigor applies to all resources and communications, which must be governed by well-defined access restrictions. Applications and services must constantly authenticate any entity attempting to access a resource.
Organizations must therefore focus on certain key considerations, such as whether it is acceptable for each person to access a particular piece of information from a given location, regardless of where they are located. Can this microservice accept data from another microservice?
The ZTA approach has a basic two-step method for establishing and governing policies for these decisions: on the one end, policy decision points (PDPs) are used to model and govern the policies. On the other, policy enforcement points (PEP) enforce those decisions.
Organizations that use many APIs can do this most effectively with an API gateway (or, as frequently happens in larger organizations, multiple gateways) – but a truly universal approach to API governance is needed for the most accurate view.
Universal governance doesn’t mean adding more gateways; different teams may want to keep their API gateways from different vendors or with different configurations. Rather, it is a governance layer that offers greater control over security and compliance for all APIs. Teams should be able to keep their flexibility, and the organization gets the final say in what is exposed or not.
Observability is key: only a complete, centralized overview of all APIs, regardless of where they are – vendor-agnostic, multi-cloud, on-prem, hybrid – can bring all of an organization’s APIs securely into view.
If you rely on an API gateway to accelerate ZTA efforts, be sure to adopt a token-based API access and authorization solution (e.g., OAuth or OpenID Connect) if you don’t already. By combining the two – universal API governance and a token-based strategy for API access and authorization – it is possible to implement the strategy of least privilege, a security concept that limits a user’s level of access to only the task at hand.
A secure foundation gives organizations the confidence to open up
To meet complex enterprise security requirements and adapt to the future, ZTA infrastructure that uses APIs, token-based access, and authorization in addition to API gateways, can be customized through distributed policy enforcement.
In the era of multi-cloud, on-premises, and distributed installations, these capabilities will prove increasingly important for anyone looking to improve API security in the short and long term. But ultimately, the true value in API development is realized when they are adopted, not when they are built or secured.
A recent study on API adoption found that 96% of IT decision makers are prioritizing securing digital experience in their API initiatives right now. But just as many of them (97%) are also seeking to improve customer experience, and 84% hope to enter new markets with their APIs.
A secure foundation gives enterprises the confidence to unlock the true value of API products by exposing them on an API marketplace. By bringing them into one place for better adoption, management, and security, it is possible to fulfill the true potential of APIs to drive faster digital business outcomes.
About the Author
Mourad Jaakou is the General Manager Amplify at Axway.
Axway helps companies move forward faster and create brilliant digital experiences using our Amplify API Management Platform and proven MFT and B2B integration solutions. Mourad’s mission is to support and accompany customers to succeed in their digital transformation. After a degree in network engineering and early experience as an enterprise application integration (EAI) consultant, Mourad joined Axway in 2007 where he held various positions as EAI consultant and Senior Project Manager before joining and leading the EMEA Presales Consulting team. Strong with his 13 years of Presales experience managing and supporting large customers, a robust understanding of APIs, and a willingness to help companies to grow their business, Mourad was appointed General Manager of the Amplify offering in 2022.
Mourad can be reached online and at our company website https://www.axway.com/en
Source: www.cyberdefensemagazine.com