Blog - Corsha

How to Bullet-proof API Security to Keep API Secrets Safe

Written by Corsha | May 8, 2023 9:16:14 PM

Organizations are leveraging APIs more than ever. In 2021, 90.5% of developers said they will expand their use of APIs. Organizations also planned to spend around $23.6 million on APIs and other related technologies in 2022.

To keep the data and traffic that flows through APIs secure, businesses tend to rely on the bearer model. But the bearer model is not enough. 

That’s because obtaining access to API secrets is becoming easier for attackers, as secrets and tokens are often shared across environments and not rotated frequently enough. As a result, organizations that rely on the bearer model for API security often find themselves reacting to cyber threats instead of proactively working to prevent them.

In this blog, we explore why businesses commonly lean on the bearer model for security and the best solutions for strongly securing API secrets. 

Why Use the Bearer Model?

The bearer model helps validate machine identity by leveraging security tokens that act as proof of identity. These tokens store security credentials for creating a login session to verify user identity and user privileges. You can think of API secrets as a “password” between systems. Primarily, they are used for project authentication and authorization.

API secrets are popular because they can be used to monitor API activity, such as requests and the number of requests from customers. By using secrets, APIs can remove anonymous bot traffic or block requests from a specific user if necessary. 

Although secrets are commonly used by organizations for machine identity and securing communication between a service and a customer, they are not as protected as they should be.

How Do Secrets Get Shared?

API secrets are static and often reused and shared across platforms like code repositories, continuous integration and continuous deployment (CICD) systems, and even Slack. The longer they’re not manually refreshed or rotated, the easier it is for attackers to gain access. 

However, managing hundreds or thousands of API secrets across a seemingly endless environment can spell disaster. For example, in the Optus data breach of September 2022, a threat actor was able to access the personal information of 10 million current and former Optus customers through an unauthenticated API.

Although popular, the bearer model is deeply flawed. Bad actors obtain secrets – and sometimes organizations don't realize this for weeks, months, or even years. To ensure communications between services, machines, and APIs are safe and secure, organizations need to look beyond the bearer model.

Go Beyond the Bearer Model

Bullet-proof API security will only grow in importance – especially as machine-to-machine (M2M) traffic grows. Currently, over 80% of web traffic is API traffic. And reliance on APIs today is exploding, as 90% of enterprises rely on the cloud for these business-critical processes.

Organizations must adapt API security practices to be proactive in preventing attacks. In more basic terms, we all need to move on from the bearer model. 

Secrets Management 

A secrets management solution – like a vault or secrets manager – is the next step up from the bearer model. Businesses should leverage an API identity and access management solution that automates the tedious job of secrets management and takes the responsibility of managing secrets off of people.

An API identity and access management solution isn’t just an alternative to secrets management – it’s an additional security layer on top of your current one. The additional layer greatly reduces your API attack surface by abstracting the security vulnerabilities that can stem from poor API secrets hygiene. 

It’s worth mentioning that often, each system/solution has its own proprietary secrets management solution. Meaning Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) all have their own secrets management solution. So if you are active in all three clouds, then that means you are in charge of three secrets managers - and that's only in your cloud environments!

With all those systems to keep track of, shifting the responsibility of secrets management will prove to be a valuable time and cost saver. IT and DevOps teams spend 25 minutes a day on average managing secrets. These 25 minutes result in a payroll expense of $8.5 billion per year in the U.S. What could you do with all the time and money saved?

MFA for M2M Communications

Another step up from the bearer model would be an MFA solution for M2M communications. 

Although MFA is not a brand new concept, implementation across human-to-machine (H2M) and M2M communications is consistently low. Microsoft shared that only 22% of its Azure Active Directory users had adopted a form of MFA.

MFA for machine identity is the most comprehensive way to ensure that the right machines have the right access to your APIs. It implements a core tenet of zero trust: only granting access if the subject is verifiably authentic.

An API identity and access management solution can give you full visibility into which humans and what machines are accessing your APIs, as well as automate verification–so you don't have to worry about an unauthorized machine making a rogue API call if your secrets fall into the wrong hands.

Keep Your API Secrets Safe with Confidence

Leveraging an API identity and access management tool like Corsha enables you to:

  • Create automated, dynamic identities for trusted machines In both north-to-south and east-to-west API traffic.
  • Utilize one-time use MFA credentials to effectively authenticate access between pods, container servers, VMS, and loT devices.
  • Monitor every machine accessing your APIs and terminate their access without impacting other workloads.

To learn more about how Corsha prevents attacks caused by compromised API credentials, check out our page CISA Zero Trust Security Model: What it means for API Security and explore how we can help with authentication, identity stores, automation, and orchestration capability.