3 Top Takeaways on API Security and Zero Trust
Salt Security Co-founder and CEO Roey Eliyahu and TAG Cyber Founder and CEO Ed Amoroso, recently sat down together for a joint webinar on API security and zero trust. When you have industry experts discussing two of the hottest topics in cybersecurity, it’s bound to be informative — and this time proved no exception.
What led us to zero trust?
In the 90s and early 2000s, organizations relied on perimeter protections, leveraging authentication to facilitate unencumbered user access within the perimeter. With the rise of hybrid environments and the growth of the cloud, these types of protections became obsolete — leading to the rise of the ‘zero-trust’ architecture.
Ed defines ‘zero trust’ as a condition that occurs when a perimeter is absolved — which covers almost everything within today’s hybrid architectures. Because resources can now be accessed from almost any point, you can’t draw a perimeter. Zero trust advocates building ‘trusted’ environments to host applications, systems, and data that operate with the least privileged access.
The vast majority of organizations are looking to adopt some form of zero trust — a fact that we easily validated during a quick webinar survey with the following question:
Is zero trust a consideration in your current security architecture?
- 57% – zero trust is a major consideration
- 7% – zero trust is a minor consideration
- 35% – zero trust isn’t a consideration yet, but we are moving toward it
Put another way, just 1% responded that they gave zero trust absolutely no consideration in their architecture! Given the enormous influence that zero trust has on security plans, organizations must also understand its weaknesses in regards to API security.
The conundrum of zero trust and API security
Many API risks can’t be mitigated by zero trust. Because APIs require access to function, zero trust methods break down in API security. Below are three examples, discussed by Roey and Ed, illustrating how zero trust methodologies fall short in protecting APIs:
- APIs enable business applications
- Unknown APIs can’t be protected with zero trust
- Many API attacks stem from authenticated users
APIs enable business applications
With increasing digital transformation initiatives, API usage has exploded. APIs have been specifically designed to share data and services across applications. The majority of data flowing in and out of our organizations runs on APIs. In fact, as cited by Roey in the webinar, 83% of Internet traffic is API traffic!
Because APIs enable all of your applications, APIs are critical to deliver the business value. APIs used in online ecommerce apps let you buy the goods being sold. Fintech APIs allow you to transfer funds in and out as desired from your banking account. In order to run a digital business, organizations cannot shut out these APIs – or they would have no business to run.
Unknown APIs can’t be protected with zero trust
Because APIs are being developed and deployed so quickly, as well as being changed so frequently, it’s impossible to manually track all of them.
In our Q3 State of API Security report, we found that ‘shadow’ or unknown APIs, and ‘zombie’ or outdated APIs, present a huge concern for organizations. 42% of organizations say their biggest API security worry is outdated APIs. In fact, outdated APIs have been named as the number one API security concern over the past four surveys conducted by Salt Security.
These unknown and unsecured APIs may be being exposed, and organizations wouldn’t even know! Whatever security practice you adopt, if you don’t know an asset exists, you can’t apply the security!
Many API attacks stem from authenticated users
Many API security incidents occur by using the API as it was designed. For example, attackers can use social engineering techniques to obtain an authorized user’s keys or credentials to enable exploitation. In this case, it doesn’t matter that every user has been authenticated by zero trust.
The recent Twitter API key and Peloton incidents provide examples of abusing an API as designed for data exfiltration and unauthorized access. A legitimate usage of an API can allow attackers to gain access to restricted data, as explained in the OWASP API3: Excessive Data Exposure.
The bottom line — some API risks can’t be mitigated by zero trust
According to Roey and Ed, there can be a lot of confusion between API security and zero trust. The reality is that – even with a good zero trust strategy – some API security risks can’t be mitigated by zero trust. You can listen to Roey’s and Ed’s webinar in its entirety here.
To learn how the Salt Security API Protection Platform can help protect your critical services and data, sign up for a personalized demo.