PostsExpert Article

A 3-step approach to API security

2023-06-07 Carlos R. Iturria
API Sprawl: With the increasing number of Microservices, Cloud and SaaS applications, we need a new ap- proach to use, manage and engage with APIs effectively.

This article provides comprehensive insights into handling API sprawl, emphasising our commitment to boosting your API security, inventory management, and observability.

In this article, you will learn about:

  • API inventory: In order to avoid being an easy target for a cyber-attack, the first step is to know what APIs you have and which ones are in use, deprecate old versions and keep this continuously up to date as part of the API's life cycle.

  • Nothing can be trusted: In the past, we used to be able to trust anything inside the corporate firewall. Not anymore. Nothing can be trusted; this includes users, microservices, legacy applications and infrastructure. Securing only the perimeter of your application is not enough. Cyber-attacks or simple human errors are likely to happen within your firewalls.

  • API observability: Maintaining API observability is vital for ensuring security and compliance, monitoring performance, troubleshooting issues, capacity planning and gaining business insights. It enables organisations to optimise their APIs, provide a better user experience and make informed decisions to drive business success.

Our recommendations:

  1. Implement an API Inventory: Build a full Enterprise API Inventory that will automatically evolve as part of the lifecycle of your APIs. This API Inventory needs to "continuously" tell you throughout your API’s lifecycle what APIs are in use and which need to be retired.

  2. Secure all your North/South, East/West traffic: First, encrypt all network traffic. This includes the network between your users and your firewall, as well as the network in-between all services. Authenticate and authorise all users, other APIs, applications and infrastructure before granting access to any API resources.

  3. Ensure full API Observability: Have full observability in place for all your APIs. This is not only to diagnose threats or security breaches quickly but also to ensure a healthy operation of your APIs, which will lead to a positive customer experience.

North/South traffic describes the flow of data between users and servers, while East/West traffic describes the exchange of data between servers or systems within the same network.

The challenge

Despite an increased number of cyber-attacks on companies with a strong history of protecting customer data, most companies are not following simple steps to avoid being victims of security breaches. On the contrary, most organisations, big and small, are constantly increasing their risks of being targets, but why is this the case? The answer has to do with "APIs" and "API Sprawl".

For the last few decades, companies have had to modernise their systems and operations in order to become more competitive. Competition has nothing to do with the size, tenure or even historical strength of a company but more with its ability to move faster and make better products and services to customers. Most companies have found out that they can abstract aspects of their business logic into microservices through APIs.

These composable components allow the creation of new products and services faster, better and more cost-effective. So, it is no surprise that most companies have decided to invest heavily in creating APIs to modernise their business.

However, API adoption growth has led to a problem called "API sprawl", that refers to the uncontrolled proliferation and management of APIs within an organisation. It occurs when there is an excessive number of APIs, often created by different teams or departments, without proper security, governance and documentation.

It is expectable that companies are in a hurry to be more efficient so that they can beat their competition. The problem is that "API sprawl" tends to lead to several challenges and issues, being "Security" the number 1 by far!

According to Salt Labs, just in the last year, malicious API traffic increased by 681%! Salt Labs also reported that more than 34% of organisations do not have correct API Security in place, having more than 91% of APIs openly exposing Personal Identifiable Information (PII) and sensitive data to threat attacks. This is massive!

An API inventory is a comprehensive catalogue of all APIs within an organisation, including their specifications, usage, and status.

In this article, we will give you a list of 3 steps that will help you not only drastically to reduce the risk of future API cyber-attacks but also to gain more value out of your APIs. This will give you the ability to increase the cadence of building and consuming APIs to create better products and services for your customers without the risk of future data breaches.

Step 1 - Implement an API Inventory

The one thing in common with most hacked organisations is that they did not have an API Inventory. Thus, they only knew about their API vulnerabilities when it was too late.

In order to avoid being an easy target for a cyber-attack, the first step is to know what APIs you have. Simple, right? Well, this is the first and most common mistake by most organisations.

Not having an Inventory of APIs makes it very hard to know which ones are in use and if they have the right level of protection, governance and visibility in place or not. The problem is known; despite advancements in technology by Security and Cloud Native IT Vendors, there is still no silver bullet when it comes to creating a complete Enterprise API Inventory.

Yes, there are tools that can and should be used in order to simplify discovering and cataloguing of all APIs. Still, companies must invest time in doing some analysis and putting things in order. It must be done; otherwise, the consequences are way too high.

Step 2 - Protect your APIs

When talking about which APIs are the most vulnerable, it is obvious to start with those exposed to end users. This doesn’t mean we can treat the rest of the internal APIs with less importance and concern.

In fact, the damage can be way worse if an internal API is breached, as it can expose sensitive information. Think of an API that is directly authenticated and connected to extract customer information out of a CRM or a Customer Database.

The other challenge is that although Cloud adoption simplifies creating distributed applications, this makes it harder to properly secure and protect all APIs and Applications running in many data centres (some private and some with Cloud Providers).

There is no such a thing as: "My Firewall will fully protect me" anymore. Yes, firewalls are important, but we cannot only rely on perimeter security anymore. "Nothing can be trusted", and this includes users (obviously), microservices, legacy applications and infrastructure itself.

Forrester coined in 2010 the concept of "Zero Trust Network", which explains why companies should not trust anything inside their firewalls. "Treat everything as if it is already compromised because chances are that it will".

If we cannot trust anything, it means that before we grant access to any API or infrastructure resource, even to another API, we need to do 3 things, ideally with a centralised Identity Server.


3 essential things to protect your APIs: Encryption, Authentication and Authorisation

A contributing factor to the uptick in cyber-attacks is the complexity involved in correctly implementing encryption, authentication, and authorisation, particularly for specific API types.

The goal is to establish these security measures in a manner that's simple, predictable, compulsory and always enforced. Crucially, these methods need to be integrated seamlessly into the API lifecycle, enhancing rather than existing current development and operational practices.

Luckily, there have been significant advancements in recent years with technologies around containers, container orchestration, DevOps and service mesh that can make this challenge a breeze.

Different IT vendors will have different capabilities, and there is no such thing as "one size fits all" – you need to invest to understand how to enforce steps 1, 2 and 3 in order to avoid being the next one on the papers.

Step 3 - Observe your APIs

With numerous APIs scattered across different systems and applications, managing and maintaining them becomes complex and challenging. It becomes difficult to track and understand the purpose, functionality, and dependencies of each API.

These complexities make it also very hard to have full end-to-end visibility on anything that "happens" or "happened" to your APIs. Each additional API represents a potential attack vector, and without proper oversight, some APIs may lack the necessary security measures, leading to potential breaches and data leaks.

Also, it does not have to be the most sophisticated cyber-attack; systems and APIs will eventually fail. That is the nature of IT. The problem is that when it happens, it becomes challenging to have full visibility across all APIs, leading to inconsistencies, deprecated functionality, performance degradation and loss of service continuity that, just like any cyber-attack, will lead to customer dissatisfaction and eventually attrition.

There are five main reasons why having full observability of your APIs is crucial for the success of your business:

  1. Security and Compliance: Observability plays a crucial role in API security. By monitoring API traffic and analysing logs, you can not only detect any suspicious activities, unauthorised access attempts or any abnormal behaviour, but also it aids in meeting compliance requirements by providing audit trails and data for regulatory purposes.

  2. Monitoring Performance: API observability allows you to monitor the performance of your APIs in real time. It provides insights into response times, latency, error rates, and other key metrics. By tracking these performance indicators, you can identify bottlenecks and diagnose issues that will help you to optimise your APIs for better performance and customer experience.

  3. Troubleshooting and Debugging: Quick diagnosis can be the difference between retaining or losing customers. As we mentioned, it is not "if" but "when" systems and APIs will fail. Full observability of your APIs will help you quickly identify and diagnose the root cause, trace the flow of data, pinpoint problematic areas, and take corrective actions before it is too late.

  4. Capacity Planning and Scalability: Success can also be your worst enemy because spikes of traffic can make you completely irresponsive or even kill systems and APIs. API observability helps understand the usage patterns, traffic spikes and resource utilisation of your APIs. This can be used to make informed decisions about capacity planning and ensure that your APIs can handle increasing loads. It enables you to scale your infrastructure and allocate resources effectively to meet the growing demands of your API consumers.

  5. Business Insights: API observability generates valuable data and analytics that can provide insights into API usage, consumer behaviour and trends. This information can be leveraged for business decision-making, product and service enhancements, identifying new opportunities, and improving the overall customer experience.

API Telemetry involves the collection, measurement, and analysis of data from APIs in real-time. This data can include performance metrics such as response times, error rates, and usage statistics, among others.

Once again, luckily, there have been significant advancements in recent years with technologies around API Monitoring, Log Aggregation and API Telemetry that simplify the ability to obtain full end-to-end API Observability.

In summary, in order to address the effects of API sprawl, organisations must implement proper API security and Governance practices.

Only by implementing complete security measures, organisations can mitigate the risks of being a target of cyber-attacks. With that, they can ensure the overall integrity and reliability of their systems, maintain user privacy, preserve business reputation, meet compliance requirements, prevent attacks, and enable secure integrations.

How can we support you?

At foryouandyourcustomers, we have an experienced team ready to assist your organisation in fortifying your API security. We provide support in developing an API inventory and implementing comprehensive safeguards for your APIs.


Our approach to implementing API Security

Get in touch with the author.

Interested in enhancing your API security? Don't hesitate to reach out to our expert and author of this article, Carlos, for tailored advice and solutions.


Similar articles

Read more