Zero trust as foundation of API security
Remote work from personal devices, cloud storage, and software-as-a-service are among the transformative advances that have unlocked greater efficiency at work yet rendered past security models based on network perimeters moot. You can put APIs in that category, too.
But with great rewards also comes new risks, and without zero trust as the foundation of your security, the APIs you use could become weak points. That’s because APIs are given access privileges to share data between applications. And because security can no longer depend on a network perimeter as the basis of their data defenses, you better know who is accessing data, when they access it, and what they’re doing with it.
An API, or application programming interface, is a powerful conductor to make your technology work in harmony. In a sense, it’s like data-as-a-service, with data automatically delivered to other platforms when needed. This can save a lot of time and manpower.
APIs can be used in different ways to improve the experience of your direct customers, web and app clients, and employees. Internal APIs can mesh with your services to make communication faster. You may also need to connect to external APIs outside of your infrastructure to include third-party data within your applications. In each case, you’re using an API to automatically share data, which means that while you’re increasing efficiency and improving services, you’re also deploying something that has privileged access to your system.
Zero trust is based on the principles of “least privilege” and strong access management and monitoring. Most of the time, when zero trust is discussed, these concepts are talked about in the context of human users. But these same principles also apply to APIs. After all, they’re essentially non-human users within your system, which means APIs’ access privileges and use must be managed and monitored with the same approach as human users.
For instance, in an ideal zero trust environment, only team members within the finance department should be accessing your organization’s bookkeeping software, human resources department employees should have sole access to employee records, and so forth. These examples of least privilege — providing users access only to the data and resources they need to perform their essential functions, and no more — need to be applied to any APIs you use, as well.
That means starting with the foundation of zero trust methodology — identity and access management. Your APIs should be accounted for within your unified user directory, so that their access levels can be properly managed and monitored.
If your organization deploys a new API, you can follow the same steps as setting up a new human employee in the system. With their access privileges set, you’ll prevent an API from moving laterally in the system, whether accidentally due to poor coding or intentionally due to a malicious hack so that a breach of one area can be isolated and contained.
A user account is created and then added to the appropriate working groups to enable the access the API needs to operate. If an API is being phased out, access is easily revoked, while maintaining the user account created for the API to log important data and history for future audits.
Once APIs have an established identity within your network, you can use context and risk-based policies to monitor and control access the same way for human users. If someone is accessing data in your network from an unrecognized geolocation or device, context-based policies can be used to trigger another authentication request.
Similarly, if you have an API account that is acting outside the context-based rules you’ve set up, you know you’ve got a problem. Whether the API itself is malfunctioning or someone has maliciously inserted themselves into the API process, these contextual cues are key to maintaining the integrity of your data. Risk-based policies add an additional layer to keep your most sensitive data and resources continuously monitored, like those subject to industry and governmental regulations.
Who is accessing your data, what can they access, and what are they doing with that access? These are the fundamental questions answered with a solid zero trust methodology in place, and these same questions applied to human users should be asked of APIs by your system as well.
