APIs are the glue that enable two systems to share data or functionality and work together to create new business opportunities, drive integrations, and speed overall development in the process. Some of the largest companies today have grown through their ability to monetize from APIs. Salesforce reportedly generates 50% of its revenues through APIs, eBay nearly 60% and Expedia a whopping 90%.
There are risks related to APIs, as organizations fail to effectively safeguard APIs and often see an influx of security threats as a result. According to Gartner, by 2022 the largest source of privacy and security issues will stem from insecure or poorly secured APIs.
If 2018 was any indication, security issues stemming from APIs are already a major problem. Google revealed a second bug in the Google+ API that could have been abused to steal the private data of over 52 million users. In the same week, Facebook capped off a tough year with an API security breach, exposing seven million people’s private photos.
Shifting API mindsets from functionality to security
In both of these instances, the flawed approach to security most likely occurred due to a simple reason: the use cases and users the API was designed for changed over time and no one realized the initial assumptions, constraints, and requirements had also changed. To put it in another way, APIs are being used for applications and situations we never envisioned.
The mindset of a developer often centers on features, where functionality has taken precedence over security, but in today’s security landscape where vulnerabilities and threats lurk at every corner, this must be turned on its head. The growth and adoption of APIs needs to be matched with the mindset of securing them.
One way to achieve this is for organizations to stop collecting unnecessary data, which if compromised, can lead to massive financial reputation loss, especially in the era of GDPR. These activities are largely conducted as part of wider marketing campaigns, but data gathering should be kept to a minimum where only required information is kept.
Further to this, it’s essential that there is an understanding that we now live in zero-trust world. Simply trusting users either deliberately by having minimal security or implicitly by assuming no one will find the API will open organizations to significant threats. Developers should approach APIs in the same way they would for web interfaces and applications to protect company data and IP.
Unified strategy to secure your APIs
However, having the right mindset alone isn’t enough without the technology to complement this. Organizations who have typically relied on unqualified trust or globally trusted API keys must understand that this can expose an organization’s sensitive data in unexpected ways.
Another approach - and one that is a step in the right direction - is an API gateway, which can prove extremely valuable as an advanced way to protect an API’s infrastructure. Yet, API gateways do not give businesses full context on the user and how much we should trust them, lacking the ability to differentiate between a user on the trusted computer at their office versus a suspicious mobile device on the other side of the world. To close this gap, we need to introduce an identity provider with full user context.
The final step is to bridge the API gateway and identity provider using OAuth 2.0. OAuth 2.0 allows for an identity provider to evaluate the user’s context and generate a token scoped specifically to the access they require while the API gateway enforces that access. This works similar to a hotel check-in experience, where key cards provide access to an application.
The complementary technologies combine to create a powerful API access management solution that can limit particular OAuth scopes to specific devices, a specific network or group membership. More importantly, a security team can manage policies like this outside the API gateway to centrally log access requests, grants and policy changes, while developers can focus on building the API respecting the access granted.
Numerous data breaches have been caught by observant network security teams so the more we can capture this data centrally, the better protected we are.
Better solutions can help bring APIs out of the realm of ‘shadow IT’, and back to known, trusted systems and patterns. But remember: no solution is perfect, and today’s trusted partner may become tomorrow’s compromised system.
Hackers are continuing to find new ways to break into systems, and weaknesses in API security are the newest opening for cyber criminals to strike. Organizations must place great emphasis in securing APIs, through a combination of API gateways with OAuth 2.0, and a security focused mindset.
Organizations much apply an integrated approach to API security or else leave the door open to further threats in the year ahead.