Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Zero trust as foundation of API security

By Matt Graves
API-aws-freepik1170.jpg
May 16, 2022

Remote work from personal devices, cloud storage, and software-as-a-service are among the transformative advances that have unlocked greater efficiency at work yet rendered past security models based on network perimeters moot. You can put APIs in that category, too.

But with great rewards also comes new risks, and without zero trust as the foundation of your security, the APIs you use could become weak points. That’s because APIs are given access privileges to share data between applications. And because security can no longer depend on a network perimeter as the basis of their data defenses, you better know who is accessing data, when they access it, and what they’re doing with it.

An API, or application programming interface, is a powerful conductor to make your technology work in harmony. In a sense, it’s like data-as-a-service, with data automatically delivered to other platforms when needed. This can save a lot of time and manpower.

APIs can be used in different ways to improve the experience of your direct customers, web and app clients, and employees. Internal APIs can mesh with your services to make communication faster. You may also need to connect to external APIs outside of your infrastructure to include third-party data within your applications. In each case, you’re using an API to automatically share data, which means that while you’re increasing efficiency and improving services, you’re also deploying something that has privileged access to your system.

Zero trust is based on the principles of “least privilege” and strong access management and monitoring. Most of the time, when zero trust is discussed, these concepts are talked about in the context of human users. But these same principles also apply to APIs. After all, they’re essentially non-human users within your system, which means APIs’ access privileges and use must be managed and monitored with the same approach as human users.

For instance, in an ideal zero trust environment, only team members within the finance department should be accessing your organization’s bookkeeping software, human resources department employees should have sole access to employee records, and so forth. These examples of least privilege — providing users access only to the data and resources they need to perform their essential functions, and no more — need to be applied to any APIs you use, as well.

That means starting with the foundation of zero trust methodology — identity and access management. Your APIs should be accounted for within your unified user directory, so that their access levels can be properly managed and monitored.

If your organization deploys a new API, you can follow the same steps as setting up a new human employee in the system. With their access privileges set, you’ll prevent an API from moving laterally in the system, whether accidentally due to poor coding or intentionally due to a malicious hack so that a breach of one area can be isolated and contained.

A user account is created and then added to the appropriate working groups to enable the access the API needs to operate. If an API is being phased out, access is easily revoked, while maintaining the user account created for the API to log important data and history for future audits.

Once APIs have an established identity within your network, you can use context and risk-based policies to monitor and control access the same way for human users. If someone is accessing data in your network from an unrecognized geolocation or device, context-based policies can be used to trigger another authentication request.

Similarly, if you have an API account that is acting outside the context-based rules you’ve set up, you know you’ve got a problem. Whether the API itself is malfunctioning or someone has maliciously inserted themselves into the API process, these contextual cues are key to maintaining the integrity of your data. Risk-based policies add an additional layer to keep your most sensitive data and resources continuously monitored, like those subject to industry and governmental regulations.

Who is accessing your data, what can they access, and what are they doing with that access? These are the fundamental questions answered with a solid zero trust methodology in place, and these same questions applied to human users should be asked of APIs by your system as well.

KEYWORDS: cyber security data privacy risk management zero trust

Share This Story

Matt graves

Matt Graves is Vice President of Information Security at MajorKey.

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing