5 Critical Security Measures to Enforce API Security
November 2023 by Marco Palladino, CTO and co-founder of Kong
APIs are an increasingly popular cyberattack target, but proper attention to security and governance can help reduce your risk.
Although business and engineering leaders continue to rapidly accelerate API usage and integration across companies, effectively securing APIs remains a challenge. And keeping this critical infrastructure safe from malicious hackers has never been more urgent. A recent study conducted by Kong in conjunction with outside economists forecasts a 996% increase in API attacks by 2030. Our research also projects that API cyberattacks will cost the US economy over $500 billion by the end of the decade.
5 Steps to Enforce API Security
Effective API security strategies are multilayered and encompass various aspects of the API lifecycle. We’ve identified the most important security measures that require stringent enforcement.
1. Protect the network and transport layers: Start with low-level network enforcement at Layer 3 and Layer 4 (L3/L4). This is particularly important for edge APIs used by third parties outside an organisation. Businesses need to verify the legitimacy of incoming traffic before allowing it to progress any further.
To do this, you must filter and inspect traffic flows using inbound encrypted traffic inspection, stateful inspection, and protocol detection. These steps are critical to defeat data loss and known malware communications and support compliance requirements.
These steps may represent a change in thinking for many leaders; in the past, external threats were the biggest concern, but now internal threats (malicious actors and bots) and vulnerabilities are also an issue.
2. Implement zero trust: zero trust is a well-established concept in cybersecurity and it’s founded on the belief that you can’t trust who a client claims to be, regardless of whether it’s internal or external.
Consider: when you enter a foreign country, you must show your passport to validate your identity. Without passports, immigration agents would have to take your word about your identity, which could make their country vulnerable to malicious actions.
Keeping the "borders" of your APIs safe is no different. Zero trust is designed to validate every client’s identity. For starters, the "passport" could be an mTLS certificate issued to each service installer with every request.
To simplify this potentially complex endeavour, you could develop a service mesh to manage the entire certificate lifecycle (issuance, rotation, revocation) automatically, and handle enforcement with a sidecar proxy running transparently alongside it.
The result? Teams can be users of zero trust, not enforcers or builders.
3. Mandate user authentication and authorisation: Once you’ve validated the identities of the services using APIs, you must identify the user with authentication and authorisation strategies. These could include validating an API key or integrating with a third-party OpenID Connect (OIDC) or OAuth provider. It’s best to centralise how these policies are enforced, as decentralising it can enable considerable security risks.
4. Restrict traffic to the API: Security protocols or control measures shouldn’t end there. Consider restricting the traffic directed toward the API to manage user-level access. It’s like step 1 above but enhanced with rate-limiting or throttling strategies. These safeguards can prevent escalating failures from excessive traffic and allow API consumption tiers, which can serve as an additional revenue stream during busy seasons.
To optimise this strategy, employ intensive API monitoring and analytics, coupled with asynchronous machine learning capabilities to track traffic for each client and user. Platform teams can help the organisation’s security-approved API infrastructure run smoothly.
5. Enforce policies: To further mitigate risk, create a policy-enforcement workflow. Policy enforcement and control equate to compliance, yet they can be overlooked. Policy enforcement ensures that necessary policies are applied, correctly configured, not malicious, and won’t cause unexpected results. The faster you mandate and universally enforce global enforcement policies, the stronger your security measures can become.
Take Action Against Threats
At the end of the day, you must recognise and act on the increasing levels of threats against APIs by developing smart, agile security measures and protecting their integrity and endurance.