Gartner projects that cybersecurity spending will grow by 11.3% in 2023 to more than $188.3 billion. Yet, many companies still leave their most vulnerable and most valuable resource unprotected against modern threats.
That resource is their APIs.
At the top of 2022, Gartner predicted that APIs would become the most common attack vector. That forecast was accurate. Infosecurity Magazine reported that detected API attacks in 2022 surged by 3.5 times year-on-year for the financial services sector alone. According to IBM, the average total cost of a data breach globally clocks in at $4.35 million.
Organizations are stepping up their cybersecurity game, but their attention to API security standards is still lagging behind. It’s high time for teams to implement more sophisticated API security strategies.
The good news is that elevating your API security standards doesn’t need to overhaul your enitre security strategy (or budget). API security isn’t a plus one — in fact, it’s a pillar of modern best practices. Here’s how small improvements to your API security can boost your overall security strategy.
When it comes to API security, the bearer model reigns supreme. You either have credentials for your APIs that provide and manage access, or you don’t.
But relying solely on the bearer model is not enough to completely secure your APIs. That’s because the bearer model only offers a single – and easily compromised – layer of defense for your APIs. One misplaced or leaked secret can inadvertently grant API access to a whole slew of malicious actors.
What’s compounding this issue? Often, there are too many credentials in play for security teams to humanly manage – let alone keep track of. According to Ponemon, 53% of organizations do not know exactly how many keys and certificates they have. That makes it difficult for teams to continuously monitor use, leaving them wide open for (you guessed it) breaches and leaks.
As API use increases, companies are adding more and more pressure to this thin, single layer of defense for APIs. This is a major weak point in overall security strategy. To build a stronger security posture, companies can evolve their API security standards to be multilayered and more robust. Here’s how.
Here are three steps to strengthen your API security practices and boost your defense against today’s malicious actors, data breaches, and attacks:
When it comes to securing your APIs, this old security adage rings true: You can’t protect what you can’t see. So how can security professionals defend the resources they don’t even know they have?
Having visibility into your APIs is the first critical step to building a robust security program.
Full visibility into your APIs means knowing what APIs your organization has, how your teams are using them, and who can access to them. Just as security teams need to engage in continuous discovery of the bounds of their IT footprint, they must also engage in continuous discovery of APIs in play.
Committing to continuous discovery helps:
Once you identify the APIs you’re using, what they’re doing, and who’s using them – then you can start to identify which might be at risk for attack.
A key benefit of auditing your APIs (aka gaining visibility into them) is the ability to then classify them from a risk perspective. For example, an API directly connected to sensitive IP might be higher risk than an API connected to already public email addresses or phone numbers. This helps hyperfocus your security strategies and teaches your teams where to keep an eye out for anomalies or suspicious behaviors – which can help nip breaches and leaks in the bud.
If you don’t know which APIs you have and moreover – which are the most vulnerable – then your security program has significant blindspots. Without visibility into their API services, organizations lack:
That means that any machine that happens to hold the right credentials has the ability to access – or in this case, breach – those API services. When credentials are compromised, there’s little the bearer model can do to defend organizations against an attack. What could defend an organization here? Another layer of API defense.
That’s where multi-factor authentication comes in.
Adding a second layer of security to your APIs, such as multi-factor authentication, can help you buttress your API security. Introducing this additional layer of security removes a dangerous over-reliance on static secrets. It mitigates the blow of when these credentials do eventually fall through the cracks.
Take it from a major global player, like Google. In 2021, the tech giant auto-enrolled its end users in two-step verification. By the end of 2022, their security teams reported a 50% decrease in compromised accounts.
Clearly, MFA just works. When it comes to API security, MFA also helps mitigate:
Today’s malicious actors know that the bearer model is a weak line of defense. That’s exactly why they target APIs that are ultra-reliant on that one layer of security.
There’s been a major upgrade to today’s cybersecurity standards. It’s time for API security standards to follow suit. Using up-to-date strategies, like incorporating MFA, brings teams closer to achieving their ultimate security goals – faster, better, and within budget.