Understanding business and security risk
Even if an organization has developed a governance team, aligning integration decisions with business needs must be incorporated into the zero trust architecture. The company’s business model drives the applications chosen.
The senior leadership team needs someone who can translate technology risks and apply them to business risks. For example, security might be an organization’s differentiator. With that in mind, senior leadership may not care about individual exploits found in the wild but does care about the potential impact to the organization’s reputation.
To achieve these aligned security and business goals, organizations need to focus on services that can expose critical business applications and functions. For example, the Cloud Security Alliance (CSA) suggests the following best practices for development teams:
- Storage of application secrets: Secure encryption keys and application secrets
- Regex denial of service: Restrict input length to prevent denial of service availability risk
- Data sanitization: Know the data returned by the API and remove unnecessary sensitive data
- Protection of testing/staging environments: Secure testing and staging environment, including exposed interfaces, old versions of software, misconfigurations, leftovers, and more
- Valid TLS Certificate: Ensure that TLS certificate is valid, up-to-date, and signed
- SSL/TLS Cipher Suites: Enforce TLS and strong cipher suites
- Source IP limitation: Limit source IP addresses/range of clients reaching API as much as possible
- Exposed network interfaces: Review external-facing infrastructure related to the API hosting for network interfaces with exposed open ports
Standardizing APIs for enhanced security and compatibility
To create a zero trust architecture, organizations need all users, devices, and applications to authenticate to their network before being granted access. With threat actors looking to exploit APIs as an attack vector, filling in security gaps becomes fundamental to moving toward a zero trust architecture.
The National Institute of Standards and Technology Special Publication (NIST SP) 800-207, “Zero Trust Architecture,” explicitly notes that:
Vendors too often rely on proprietary APIs provided by partner companies rather than standardized, vendor-independent APIs to achieve this integration. The problem with this approach is that … the controlling vendor can change the API behavior, and integrators are required to update their products in response.
NIST SP 800-207 also notes that new standards address this problem. Without standardization, companies often find themselves unable to identify a minimum set of compatibility requirements for different applications. Ultimately, ensuring best practices for authentication, authorization, transport, and data traffic acts as a roadblock.
Partnering the organization’s development team with the security team enables companies to enhance API security. For example, both the Internet Engineering Task Force (IETF) and the Cloud Security Alliance (CSA) have developed API security guidelines.
Some considerations the CSA proposes for managing third-party API security risks include:
- Considering necessity: Does a lower-risk integration exist beyond the provided plugin?
- Considering provider: How does the SaaS platform and vendor plugin limit access?
- Reviewing permissions: If the integration’s permissions cannot be limited according to the principle of least privilege, are alternate configurations available or can permissions be changed later?
- Reviewing marketplace verification/certification: Are all integrations “Approved” or “Verified” or do unauthorized/uncertified integrations or plugin need to be reviewed?
- Turn on logging: Is the logging for the SaaS platform and integration provider robust enough to identify or investigate a breach?
Converging third-party risk management and zero trust architecture with API security
With the release of the Executive Order on Improving the Nation’s Cybersecurity, understanding zero trust becomes more important. Whether a company is in the federal supply chain or not, zero trust will become more than a security industry buzzword. Understanding how application development and API security fits into a zero trust model is critical to enhancing security.
Providing appropriate secure code training
No developer wants to write insecure code and have it break in production. However, organizations that want to leverage API security as part of their zero trust model, they need to provide their teams with the relevant training.
Ultimately, developers need both the training and the automation that can reinforce these best practices. Fundamentally, developers working to secure APIs need solutions that enable them to:
- Identify attack surface risks: endpoints, usage patterns, expected flows, and sensitive data exposure
- Mitigate risks: anomaly detection with effective alerts for and prevention of API abuses
- Continuous monitoring with simulated attacks: proactive vulnerability identification from production back to code
- Enforce secure schemas: API specification analysis, testing, and enforcement for security integration
With the right training and enabling tools, developers can build API security into their coding processes. Ultimately, this gives them the skills and technical functionalities to leverage API security as part of an organization’s zero trust model.
Leveraging API security for a zero trust strategy
Zero trust architectures are the way to secure data for the present and future. The increased use of cloud-delivered software ultimately requires any zero trust strategy to incorporate third-party vendor risk. API security acts as the bridge between these two previously unconnected security requirements.
Ultimately, developer teams need to integrate security into their daily tasks. This means continuous security testing, schema analysis, and runtime protection to discover unknown vulnerabilities, prevent attacks, and automatically shift left to mitigate risk. By accelerating remediation and eliminating API access according to the principle of least privilege, organizations can secure their technology supply chain and move toward a zero trust architecture.