Zero Trust’s Impact on API Security
Organizations can encounter various challenges when it comes to securing their APIs. In response, some are proposing zero trust as a possible solution.
Join the DZone community and get the full member experience.Join For Free
Developers are releasing software to keep up with users’ expanding digital presence. Many of those programs rely on Application Programming Interfaces (APIs). Per IBM, APIs enable organizations to connect the data and functionality of their applications with those of other companies. APIs make it easier for companies to deliver and improve the digital products and services on which users rely.
It’s therefore no surprise that APIs have grown in recent years. Postman observed that its Collections, or folders where API developers group their API requests, doubled from 17.4 million to 34.9 million between January 2019 and January 2020 alone. As of January 2021, the number of Postman Collections had increased beyond 46 million.
These figures reflect the value of APIs in enabling digital services such as providing multi-device experiences for consumers, for example. The shift to microservices and cloud deployments has also dramatically increased the use of APIs.
The Challenges of Securing APIs
APIs might be supporting organizations’ business interests and revolutionizing customers’ experiences in the digital age, but they still need to be secured. However, that’s easier said than done. An API-driven application can rely on thousands of microservices, noted Forbes, which makes it difficult for security teams and other key stakeholders to track their APIs.
Not only that, but organizations also struggle with the means that they use to secure their APIs. In a 2020 report, Forrester found that perimeter-based security controls fail to adequately protect organizations’ APIs against digital attacks, events that continue to grow in severity, sophistication, and frequency. CSO noted that APIs will account for 90% of the attack surface by the end of 2021, for instance, while Gartner has long predicted that APIs will become the most frequent application attack vector by 2022. It’s no surprise, then, that just 2% of enterprise IT practitioners said they were completely confident in their employer’s ability to address unauthorized access, compliance risk, and other API security issues, according to Help Net Security.
On the Recommendation for Zero Trust
Acknowledging the challenges discussed above, some are proposing zero trust as a possible answer for API security. Among them is Jason Needham, CEO of Cloudentitty. Here’s what he told Help Net Security:
As API endpoints proliferate, enterprises must standardize and improve the controls they use to protect this data, applying a zero trust approach to API access and data exchange. This goes beyond simple authentication. We must move to a model where every API transaction is dynamically authorized and easily audited for compliance, and monitored for suspicious activity.
For organizations to be able to audit their APIs for compliance and monitor them for anomalies, they need to focus on revamping their API discovery process. IT and security teams must move away from manually creating inventories of APIs because such processes are prone to human error, take significant time, and are almost never complete. In the words of Salt Security, “Automated discovery of API endpoints, parameters, and data types is crucial for all organizations.”
How Organizations Can Blend Zero Trust and API Security
Organizations can’t marry zero trust and API security on the fly. They need a comprehensive API security strategy that upholds some of the fundamental tenets of zero-trust. VentureBeat noted that such a strategy should include the following elements:
- Governance: Zero trust can help API governance to scale by balancing the need for compliance with new API and endpoint security features.
- Management: Infosec personnel can enforce zero trust in API security by implementing the principle of least privilege and micro-segmentation in each stage of the software development life cycle (SDLC) as well as the continuous integration/continuous delivery (CI/CD) process. This oversight will help ensure that API security becomes an integral part of the SDLC and not an afterthought.
- Extent: Security need not end at the API coding process. In the spirit of zero trust, security teams can apply “default deny” principles everywhere and force authentication of all users and devices related to APIs.
The Limits of Zero Trust for API Security
Zero trust can help organizations to strengthen their API security, including setting up a central authentication service for approving requests. Even so, zero trust has its limits. In the words of Security Boulevard, “zero-trust won’t work universally across APIs. Managing security for the auth service is not able to act alone as a fully zero-trust application.”
The issue here is that zero trust and zero trust network access (ZTNA) don’t necessarily share the same priorities as APIs. According to Salt Security, zero trust aims to restrict access, while APIs require network access to function.
Where Does This Leave Organizations?
Zero trust is a sound security strategy. However, infosec teams can’t protect their APIs using access controls alone. They need to consider the possibility of complementing their zero trust efforts with other initiatives designed to protect their APIs more comprehensively such as anomaly detection and dynamic blocking to defend against emerging threats.
Opinions expressed by DZone contributors are their own.