Subscribe to the Salt blog to learn about the latest developments in API Security

Blog Post

3 Top Takeaways on API Security and Zero Trust

Jennifer Dignum
Sep 23, 2022

Salt Security Co-founder and CEO Roey Eliyahu and TAG Cyber Founder and CEO Ed Amoroso, recently sat down together for a joint webinar on API security and zero trust. When you have industry experts discussing two of the hottest topics in cybersecurity, it’s bound to be informative — and this time proved no exception.

What led us to zero trust?

In the 90s and early 2000s, organizations relied on perimeter protections, leveraging authentication to facilitate unencumbered user access within the perimeter. With the rise of hybrid environments and the growth of the cloud, these types of protections became obsolete — leading to the rise of the ‘zero-trust’ architecture.

Ed defines ‘zero trust’ as a condition that occurs when a perimeter is absolved — which covers almost everything within today’s hybrid architectures. Because resources can now be accessed from almost any point, you can’t draw a perimeter. Zero trust advocates building ‘trusted’ environments to host applications, systems, and data that operate with the least privileged access.

The vast majority of organizations are looking to adopt some form of zero trust — a fact that we easily validated during a quick webinar survey with the following question:

Is zero trust a consideration in your current security architecture?

  • 57% – zero trust is a major consideration
  • 7%  – zero trust is a minor consideration
  • 35% – zero trust isn’t a consideration yet, but we are moving toward it

Put another way, just 1% responded that they gave zero trust absolutely no consideration in their architecture! Given the enormous influence that zero trust has on security plans, organizations must also understand its weaknesses in regards to API security.

The conundrum of zero trust and API security

Many API risks can’t be mitigated by zero trust. Because APIs require access to function, zero trust methods break down in API security. Below are three examples, discussed by Roey and Ed, illustrating how zero trust methodologies fall short in protecting APIs:

  • APIs enable business applications
  • Unknown APIs can’t be protected with zero trust
  • Many API attacks stem from authenticated users

APIs enable business applications

With increasing digital transformation initiatives, API usage has exploded. APIs have been specifically designed to share data and services across applications. The majority of data flowing in and out of our organizations runs on APIs. In fact, as cited by Roey in the webinar, 83% of Internet traffic is API traffic!

Because APIs enable all of your applications, APIs are critical to deliver the business value. APIs used in online ecommerce apps let you buy the goods being sold. Fintech APIs allow you to transfer funds in and out as desired from your banking account. In order to run a digital business, organizations cannot shut out these APIs – or they would have no business to run.

Unknown APIs can’t be protected with zero trust

Because APIs are being developed and deployed so quickly, as well as being changed so frequently, it’s impossible to manually track all of them.

In our Q3 State of API Security report, we found that ‘shadow’ or unknown APIs, and ‘zombie’ or outdated APIs, present a huge concern for organizations. 42% of organizations say their biggest API security worry is outdated APIs. In fact, outdated APIs have been named as the number one API security concern over the past four surveys conducted by Salt Security.

These unknown and unsecured APIs may be being exposed, and organizations wouldn’t even know! Whatever security practice you adopt, if you don’t know an asset exists, you can’t apply the security!

Many API attacks stem from authenticated users

Many API security incidents occur by using the API as it was designed. For example, attackers can use social engineering techniques to obtain an authorized user’s keys or credentials to enable exploitation. In this case, it doesn’t matter that every user has been authenticated by zero trust.

The recent Twitter API key and Peloton incidents provide examples of abusing an API as designed for data exfiltration and unauthorized access. A legitimate usage of an API can allow attackers to gain access to restricted data, as explained in the OWASP API3: Excessive Data Exposure.

The bottom line — some API risks can’t be mitigated by zero trust

According to Roey and Ed, there can be a lot of confusion between API security and zero trust. The reality is that – even with a good zero trust strategy – some API security risks can’t be mitigated by zero trust. You can listen to Roey’s and Ed’s webinar in its entirety here.

To learn how the Salt Security API Protection Platform can help protect your critical services and data, sign up for a personalized demo.

Tags

Salt Security Blog

Sign up for the Salt Newsletter for the latest resources and blog posts.

June 21, 2024

Amanda Fitzsimmons
Head of Legal

Industry

Don't Get Salted: Why API Inventory is Key to PCI DSS 4.0 Compliance (and How Salt Security Can Help You Achieve It)

A secure API ecosystem starts with a clear understanding of what APIs you have and how they interact with your data.

Read more

June 18, 2024

Salt Labs
Research Team

Salt Labs

Increasing API Traffic, Proliferating Attack Activity and Lack of Maturity: Key Findings from Salt Security’s 2024 State of API Security Report

The latest Salt Security State of API Security Report is out now, and we’re thrilled to give a little sneak peek of its contents.

Read more

June 12, 2024

Elad Hoffer
Head of Product R/T Protection

Product

Salt Security Leading the Way in AI-Driven API Security for Next-Generation Threat Protection and Attacker Insights

Learn how the recent introduction of advanced LLM-driven attacker insights further solidifies Salt's position as a leader in API security solutions.

Read more

Download this guide for advice on evaluating key capabilities in API Security

Learn everything you need to know to keep your APIs secure

Get the guide
Back