Benefits of Adopting Zero Trust for API Security
Date: 15 December 2021
In May 2021, The White House published an Executive Order (E.O.) on Improving the Nation’s Cybersecurity. The third section of the E.O, entitled “Modernizing Federal Government Cybersecurity,” included recommendations for Federal Civilian Executive Branch (FCEB) agencies around implementing zero trust. It noted how “the Federal Government must … advance toward Zero Trust Architecture.”
Towards that end, it specified that FCEB agency heads needed to “develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance” within 60 days of the E.O taking effect. It went on to note that agencies’ “migration to cloud technology shall adopt Zero Trust Architecture” as well.
In this blog, we discuss what exactly is Zero-Trust and why is it so critical today for protecting cybersecurity infrastructure against ransomware attacks and other cyber threats.
What is Zero Trust & Why is it so Relevant Now?
Just as a refresher, the National Institute of Standards and Technology (NIST) defines zero trust as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” This shift means that security teams can’t trust a connection attempt just because an asset is in a particular segment of the network.
Under a zero-trust model, infosec personnel embrace the assumption that every user, asset, and resource is compromised. They can then use that mindset to validate (and re-validate) those sources on a per-session basis, acknowledging that they could suffer a compromise in the meantime.
Zero Trust Architecture (ZTA), which incorporates zero trust principles in the process of planning an enterprise network, is particularly relevant right now given the rise of remote and hybrid work.
Under these work arrangements, employees use personal devices connected to their home networks, among other locations, to access business assets hosted in the cloud. Security teams have no traditional network perimeter to enforce. What’s more, infosec personnel can’t ensure the security of every personal device and Wi-Fi network that employees are using to do their work under these models. Hence the need for security professionals to “never trust, always verify” connection attempts.
The challenges associated with remote and hybrid work might be here to stay, as well. Gartner predicted that 51% of knowledge workers will be doing their jobs remotely by the end of the year, for instance. That’s up from 27% in 2019. The technology research and consulting company went on to say that remote employees will make up about a third of the global workforce in that same period, nearly doubling their representation of 17% just two years prior.
APIs: Understanding Their Relevance and Security Challenges
It’s safe to say that the ongoing remote/hybrid work transformation described above might not be the force it is today without Application Programming Interfaces (APIs). Then again, many organizations might not have survived the events of 2020 without APIs, either. “Because of the power of APIs, organizations were able to implement changes in weeks or months that would have otherwise taken years,” explained Business Wire.
APIs empowered organizations to quickly respond to the pandemic and make changes to the ways they did commerce and hosted business assets. The pandemic is one of several reasons that the use of APIs is on the rise – users made 855 million API requests between October 2020 and October 2021, an increase of 56% over the previous year.
That said, APIs are difficult to secure using traditional means. Indeed, 37% of respondents to a survey covered by Help Net Security in 2021 listed “securing APIs” as one of their top application security challenges. This difficulty reflects the extent to which APIs can suffer from Broken Object Level Authorization and other vulnerabilities identified by the Open Web Application Security Project (OWASP) API Top 10 list. Digital attackers can exploit those weaknesses to compromise applications and the data that they handle.
How Zero Trust Can Help with API Protection
Fortunately, security teams can also apply zero trust principles to protect their organizations’ APIs. To do so, they need to embrace a comprehensive API security strategy that consists of three elements. First, VentureBeat notes that infosec teams can leverage zero trust to scale API governance, thus ensuring that they can balance their employer’s compliance needs with the desire to bring in new API and endpoint features on an ongoing basis.
Second, security teams need to restrict network access and enforce the principle of least privilege on resources. But they need to do so in a way that doesn’t undermine the purpose of APIs. In the words of Salt Security, “connectivity must be present for APIs to function, and many API attacks still occur in trusted channels and authenticated sessions.” This reality highlights the need for automatic baselining of “normal” API traffic so that the reconnaissance activities of bad actors looking for the unique vulnerabilities of a given API stand out clearly and can be stopped.
Finally, infosec personnel can look to zero trust to broaden API security beyond just the coding process. They can seek to manage their APIs’ security in every stage of the software development lifecycle (SDLC) by denying everything by default and authenticating every resource. In upholding these two foundations of zero trust, infosec personnel can manage API security as one of their priorities and not a bolted-on consideration.
Author: David Bisson
David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.