Register for our Dec 19th Webinar: Beyond the Perimeter: Achieving Comprehensive API Security

Blog Post

3 Top Takeaways on API Security and Zero Trust

Jennifer Dignum
Sep 23, 2022

Salt Security Co-founder and CEO Roey Eliyahu and TAG Cyber Founder and CEO Ed Amoroso, recently sat down together for a joint webinar on API security and zero trust. When you have industry experts discussing two of the hottest topics in cybersecurity, it’s bound to be informative — and this time proved no exception.

What led us to zero trust?

In the 90s and early 2000s, organizations relied on perimeter protections, leveraging authentication to facilitate unencumbered user access within the perimeter. With the rise of hybrid environments and the growth of the cloud, these types of protections became obsolete — leading to the rise of the ‘zero-trust’ architecture.

Ed defines ‘zero trust’ as a condition that occurs when a perimeter is absolved — which covers almost everything within today’s hybrid architectures. Because resources can now be accessed from almost any point, you can’t draw a perimeter. Zero trust advocates building ‘trusted’ environments to host applications, systems, and data that operate with the least privileged access.

The vast majority of organizations are looking to adopt some form of zero trust — a fact that we easily validated during a quick webinar survey with the following question:

Is zero trust a consideration in your current security architecture?

  • 57% – zero trust is a major consideration
  • 7%  – zero trust is a minor consideration
  • 35% – zero trust isn’t a consideration yet, but we are moving toward it

Put another way, just 1% responded that they gave zero trust absolutely no consideration in their architecture! Given the enormous influence that zero trust has on security plans, organizations must also understand its weaknesses in regards to API security.

The conundrum of zero trust and API security

Many API risks can’t be mitigated by zero trust. Because APIs require access to function, zero trust methods break down in API security. Below are three examples, discussed by Roey and Ed, illustrating how zero trust methodologies fall short in protecting APIs:

  • APIs enable business applications
  • Unknown APIs can’t be protected with zero trust
  • Many API attacks stem from authenticated users

APIs enable business applications

With increasing digital transformation initiatives, API usage has exploded. APIs have been specifically designed to share data and services across applications. The majority of data flowing in and out of our organizations runs on APIs. In fact, as cited by Roey in the webinar, 83% of Internet traffic is API traffic!

Because APIs enable all of your applications, APIs are critical to deliver the business value. APIs used in online ecommerce apps let you buy the goods being sold. Fintech APIs allow you to transfer funds in and out as desired from your banking account. In order to run a digital business, organizations cannot shut out these APIs – or they would have no business to run.

Unknown APIs can’t be protected with zero trust

Because APIs are being developed and deployed so quickly, as well as being changed so frequently, it’s impossible to manually track all of them.

In our Q3 State of API Security report, we found that ‘shadow’ or unknown APIs, and ‘zombie’ or outdated APIs, present a huge concern for organizations. 42% of organizations say their biggest API security worry is outdated APIs. In fact, outdated APIs have been named as the number one API security concern over the past four surveys conducted by Salt Security.

These unknown and unsecured APIs may be being exposed, and organizations wouldn’t even know! Whatever security practice you adopt, if you don’t know an asset exists, you can’t apply the security!

Many API attacks stem from authenticated users

Many API security incidents occur by using the API as it was designed. For example, attackers can use social engineering techniques to obtain an authorized user’s keys or credentials to enable exploitation. In this case, it doesn’t matter that every user has been authenticated by zero trust.

The recent Twitter API key and Peloton incidents provide examples of abusing an API as designed for data exfiltration and unauthorized access. A legitimate usage of an API can allow attackers to gain access to restricted data, as explained in the OWASP API3: Excessive Data Exposure.

The bottom line — some API risks can’t be mitigated by zero trust

According to Roey and Ed, there can be a lot of confusion between API security and zero trust. The reality is that – even with a good zero trust strategy – some API security risks can’t be mitigated by zero trust. You can listen to Roey’s and Ed’s webinar in its entirety here.

To learn how the Salt Security API Protection Platform can help protect your critical services and data, sign up for a personalized demo.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

November 27, 2024

Eric Schwake
Head of Product Marketing

Industry

Beyond Traditional Security: Addressing the API Security Gap

To safeguard your business from API-specific threats, you need a dedicated solution that offers comprehensive visibility, in-depth contextual analysis, automated governance, robust data protection, and AI-driven threat prevention.

Read more

November 21, 2024

Eric Schwake
Head of Product Marketing

Industry

API (In)security: The Hidden Risk of Black Friday

Learn how, for online retailers, Black Friday represents both a lucrative opportunity and a significant cybersecurity challenge.

Read more

November 5, 2024

Eric Schwake
Head of Product Marketing

Industry

API Security: The Non-Negotiable for Modern Transportation

Airlines and transportation companies heavily rely on APIs to handle sensitive data, from customer information to payment details and flight schedules. While crucial for efficient operations, these APIs are also prime cyberattack targets.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Get the guide
Back