Five Critical Security Measures To Enforce API Security 

Uploaded on 2023-11-07 in TECHNOLOGY--Resilience, FREE TO VIEW

Although business and engineering leaders continue to rapidly accelerate API usage and integration across companies, effectively securing APIs remains a challenge. And keeping this critical infrastructure safe from malicious hackers has never been more urgent.  

A recent study conducted by Kong in conjunction with outside economists forecasts a 996% increase in API attacks by 2030. Our research also projects that API cyberattacks will cost the US economy over $500 billion by the end of the decade. 

Five Steps to Enforce API Security

Effective API security strategies are multilayered and encompass various aspects of the API lifecycle. We've identified the most important security measures that require stringent enforcement.

1. Protect the network and transport layers:    Start with low-level network enforcement at Layer 3 and Layer 4 (L3/L4). This is particularly important for edge APIs used by third parties outside an organisation. Businesses need to verify the legitimacy of incoming traffic before allowing it to progress any further.

To do this, you must filter and inspect traffic flows using inbound encrypted traffic inspection, stateful inspection, and protocol detection. These steps are critical to defeat data loss and known malware communications and support compliance requirements. 

These steps may represent a change in thinking for many leaders; in the past, external threats were the biggest concern, but now internal threats (malicious actors and bots) and vulnerabilities are also an issue. 

2. Implement zero trust:     Zero trust is a well-established concept in cybersecurity and it's founded on the belief that you can’t trust who a client claims to be, regardless of whether it’s internal or external.

Consider: when you enter a foreign country, you must show your passport to validate your identity. Without passports, immigration agents would have to take your word about your identity, which could make their country vulnerable to malicious actions.

Keeping the "borders" of your APIs safe is no different. Zero trust is designed to validate every client's identity. For starters, the "passport" could be an mTLS certificate issued to each service installer with every request. To simplify this potentially complex endeavour, you could develop a service mesh to manage the entire certificate lifecycle (issuance, rotation, revocation) automatically, and handle enforcement with a sidecar proxy running transparently alongside it. The result? Teams can be users of zero trust, not enforcers or builders.

3. Mandate user authentication and authorisation:   Once you've validated the identities of the services using APIs, you must identify the user with authentication and authorisation strategies. These could include validating an API key or integrating with a third-party OpenID Connect (OIDC) or OAuth provider. It's best to centralise how these policies are enforced, as decentralising it can enable considerable security risks.

4. Restrict traffic to the API:    Security protocols or control measures shouldn't end there. Consider restricting the traffic directed toward the API to manage user-level access. It's like step 1 above but enhanced with rate-limiting or throttling strategies.

These safeguards can prevent escalating failures from excessive traffic and allow API consumption tiers, which can serve as an additional revenue stream during busy seasons.

To optimise this strategy, employ intensive API monitoring and analytics, coupled with asynchronous machine learning capabilities to track traffic for each client and user. Platform teams can help the organisation's security-approved API infrastructure run smoothly. 

5. Enforce policies:    To further mitigate risk, create a policy-enforcement workflow. Policy enforcement and control equate to compliance, yet they can be overlooked. Policy enforcement ensures that necessary policies are applied, correctly configured, not malicious, and won't cause unexpected results. The faster you mandate and universally enforce global enforcement policies, the stronger your security measures can become.

Take Action Against Threats

At the end of the day, you must recognise and act on the increasing levels of threats against APIs by developing smart, agile security measures and protecting their integrity and endurance.  

For more detailed information, please download a copy of “Leading Digital Transformation: Best Practices for Becoming a Secure API-First Company” 
 
Marco Palladino is CTO and co-founder of Kong   

Image; putilich

You Might Also Read: 

The Unique TTPs Attackers Use To Target APIs:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Increase Security For Your Enterprise Cloud With A Next-Generation Firewall
Bletchley Declaration On Artificial Intelligence Gets International Support »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Juniper Networks

Juniper Networks

Juniper Networks is the industry leader in network innovation. We provide network infrastructure and network security solutions.

Optimum Insurance

Optimum Insurance

Optimum's Cyber Risk & Data Protection Insurance policies are designed to protect against cyber exposures that arise when a company’s data and customer information is breached or stolen.

Cognizant

Cognizant

Cognizant offer services and solutions for IT Infrastructure Security, Enterprise Mobility and Internet of Things.

TraceSecurity

TraceSecurity

TraceSecurity, a leading pioneer in cloud-based security solutions, provides IT governance, risk and compliance (GRC) management solutions.

Quadrant Information Security

Quadrant Information Security

Quadrant Information Security is a consulting firm committed to supporting organizations in all vertical markets and protecting their sensitive data.

Telecommunications Industry Association (TIA)

Telecommunications Industry Association (TIA)

TIA works to secure trust in networks by advocating public policy positions on the security of ICT equipment and services related to critical infrastructure, supply chain and information sharing.

Salt Communications

Salt Communications

Salt communications is a global leader in secure communications. Our bespoke platform is the secure communications solution that uniquely gives complete control to our customers.

Digital Transformation EXPO (DTX)

Digital Transformation EXPO (DTX)

Digital Transformation EXPO showcases the latest technology and insight from the world’s leading brands and experts in DX.

Cyber Forensic & Investigation (CFI)

Cyber Forensic & Investigation (CFI)

Cyber Forensic & Investigation (CFI) is recognized as Thailand’s leader in cyber investigations and digital forensics.

Red4Sec

Red4Sec

Red4Sec are experts in ethical hacking, audits of web and mobile applications, code audits, cryptocurrency audits, perimeter security and incident response.

Internet Infrastructure Investigation

Internet Infrastructure Investigation

Internet Infrastructure Investigation offers a bespoke Internet Governance Solution to your brands online infringement problems.

White Tuque

White Tuque

A new way to protect your organization. White Tuque is your partner in identifying threats, understanding your risk, and ensuring your business remains resilient.

ORS Consulting

ORS Consulting

ORS Consulting is a specialist provider of risk management advisory services supporting asset-intensive industries such as chemicals, energy, power and utilities, defence and maritime.

European Data Protection Supervisor (EDPS)

European Data Protection Supervisor (EDPS)

The EDPS is the European Union’s independent data protection authority. We monitor and ensure the protection of personal data and privacy when EU institutions and bodies process personal information.

endpointX

endpointX

endpointX is a preventative cyber security company. We help companies minimize their risk of breach by improving cyber hygiene.

Treacle Technologies

Treacle Technologies

Treacle Technologies are a Cyber Security startup with a focus on Defensive Security.