Gartner projects that cybersecurity spending will grow by 11.3% in 2023 to more than $188.3 billion. Yet, many companies still leave their most vulnerable and most valuable resource unprotected against modern threats.
That resource is their APIs.
At the top of 2022, Gartner predicted that APIs would become the most common attack vector. That forecast was accurate. Infosecurity Magazine reported that detected API attacks in 2022 surged by 3.5 times year-on-year for the financial services sector alone. According to IBM, the average total cost of a data breach globally clocks in at $4.35 million.
Organizations are stepping up their cybersecurity game, but their attention to API security standards is still lagging behind. It’s high time for teams to implement more sophisticated API security strategies.
The good news is that elevating your API security standards doesn’t need to overhaul your enitre security strategy (or budget). API security isn’t a plus one — in fact, it’s a pillar of modern best practices. Here’s how small improvements to your API security can boost your overall security strategy.
Big Problems With the Bearer Model
When it comes to API security, the bearer model reigns supreme. You either have credentials for your APIs that provide and manage access, or you don’t.
But relying solely on the bearer model is not enough to completely secure your APIs. That’s because the bearer model only offers a single – and easily compromised – layer of defense for your APIs. One misplaced or leaked secret can inadvertently grant API access to a whole slew of malicious actors.
What’s compounding this issue? Often, there are too many credentials in play for security teams to humanly manage – let alone keep track of. According to Ponemon, 53% of organizations do not know exactly how many keys and certificates they have. That makes it difficult for teams to continuously monitor use, leaving them wide open for (you guessed it) breaches and leaks.
As API use increases, companies are adding more and more pressure to this thin, single layer of defense for APIs. This is a major weak point in overall security strategy. To build a stronger security posture, companies can evolve their API security standards to be multilayered and more robust. Here’s how.
API Security Strategies and Best Practices
Here are three steps to strengthen your API security practices and boost your defense against today’s malicious actors, data breaches, and attacks:
1. Gain Full Visibility Into All Your APIs
When it comes to securing your APIs, this old security adage rings true: You can’t protect what you can’t see. So how can security professionals defend the resources they don’t even know they have?
Having visibility into your APIs is the first critical step to building a robust security program.
Full visibility into your APIs means knowing what APIs your organization has, how your teams are using them, and who can access to them. Just as security teams need to engage in continuous discovery of the bounds of their IT footprint, they must also engage in continuous discovery of APIs in play.
Committing to continuous discovery helps:
- Uncover shadow APIs: According to Dark Reading, more than 30% of malicious attacks target shadow APIs – or the APIs you didn’t know you’re using. A good example of this is a third-party API, which traditionally might not be tracked but is certainly connected to an organization’s servers and systems. Once teams uncover shadow APIs, they can take the necessary steps to shore up their security.
- Find orphaned APIs: Sometimes teams can miss a few steps when deleting obsolete APIs. They’ll remove a gateway or a service but not the actual API itself, or they’ll inadvertently change an API ID. That can lead to orphaned APIs, or APIs inconsistently documented on the API Portal or API Gateway. Like shadow APIs, orphaned APIs can provide the perfect attack vector for malicious actors because they’re already flying under the radar.
2. Classify APIs From A Risk Perspective
Once you identify the APIs you’re using, what they’re doing, and who’s using them – then you can start to identify which might be at risk for attack.
A key benefit of auditing your APIs (aka gaining visibility into them) is the ability to then classify them from a risk perspective. For example, an API directly connected to sensitive IP might be higher risk than an API connected to already public email addresses or phone numbers. This helps hyperfocus your security strategies and teaches your teams where to keep an eye out for anomalies or suspicious behaviors – which can help nip breaches and leaks in the bud.
If you don’t know which APIs you have and moreover – which are the most vulnerable – then your security program has significant blindspots. Without visibility into their API services, organizations lack:
- Complete visibility into the credentials that grant access
- Complete visibility into the machines that are leveraging those credentials
That means that any machine that happens to hold the right credentials has the ability to access – or in this case, breach – those API services. When credentials are compromised, there’s little the bearer model can do to defend organizations against an attack. What could defend an organization here? Another layer of API defense.
That’s where multi-factor authentication comes in.
3. Shore Up Machine Identity Validation with MFA
Adding a second layer of security to your APIs, such as multi-factor authentication, can help you buttress your API security. Introducing this additional layer of security removes a dangerous over-reliance on static secrets. It mitigates the blow of when these credentials do eventually fall through the cracks.
Take it from a major global player, like Google. In 2021, the tech giant auto-enrolled its end users in two-step verification. By the end of 2022, their security teams reported a 50% decrease in compromised accounts.
Clearly, MFA just works. When it comes to API security, MFA also helps mitigate:
- Resource strain: The right MFA tool automates the creation and validation of dynamic identities, ensuring only authorized identities have access – with minimal to no human intervention.
- Budget constraints: Investing in credentials management can quickly turn into a bottomless money sink. With the number of credentials at play only growing, the budget it takes to track every secret, key, or token can exponentially increase. Investing in MFA is ultimately a lot more cost-effective.
Reach Security Goals Faster with Strong API Security Standards
Today’s malicious actors know that the bearer model is a weak line of defense. That’s exactly why they target APIs that are ultra-reliant on that one layer of security.
There’s been a major upgrade to today’s cybersecurity standards. It’s time for API security standards to follow suit. Using up-to-date strategies, like incorporating MFA, brings teams closer to achieving their ultimate security goals – faster, better, and within budget.