A false assumption of trust in business APIs

Digital business is driving significant levels of growth and effectiveness for businesses in a way that is becoming the have-and-have differentiator of success and even survival. Unfortunately, the drive to develop and deliver new revenue opportunities means that cybersecurity is catching up. Today, companies are opening up core areas of their business that were previously inaccessible to bad actors. Not so long ago this was unthinkable. Companies wanted to vigorously defend these resources and keep outsiders away from them. Now companies connect core business systems with partners, suppliers and customers using APIs. By making these connections, organizations can provide better or faster services, achieve new levels of visibility or collaboration, and achieve greater efficiency and effectiveness. Economic, competitive and business needs outweigh the risks, at least as they are commonly understood, or rather misunderstood.

API Risks and Trust

This access, typically through machine-to-machine interaction using business APIs, is carefully granted with an assumption of trust. When used correctly, these connections ensure productivity and growth. At the same time, these APIs open the door to theft and fraud far beyond anything seen before. Many companies do not see these risks as possible because the nature of fraud and abuse is relatively new and has not yet been consciously experienced. As a result, the current level of trust is unfounded and based on incorrect assumptions.

The misguided trust is mainly based on two wrong assumptions. First, because access to APIs is generally carefully managed, requires evolving governance rules, and uses industry-standard identity management, access controls, and authentication, organizations believe API usage will be limited to the legitimate, validated individuals required by the business be prescribed. They believe that these individuals can be trusted and that their access is secured.

Business APIs and Intended Purpose

Second, organizations believe that business APIs are used only for their intended purpose and either cannot or will not be used in any other way. Businesses anticipate that an API designed to provide customer order status or shipping details might not be usable for something else, e.g. B. to steal customer data or to place fraudulent orders. Trust in using an API is based on a combination of inherent technical parameters and design – it can only be used in a certain way – and relies on the ethical integrity of the third party. Facebook’s reliance on Cambridge Analytica is a good example of undue reliance on using APIs.

The problem is even deeper. Most organizations only know part of the APIs used. Business departments and even individual employees can roll out new apps or approve integrations between third-party business applications without the knowledge of IT security teams. From the well-known APIs, only a fraction of what they do, who can use them, and what normal interactions or traffic look like is known. Documentation for business APIs often doesn’t exist or is woefully sparse. APIs are subject to change without notice due to unannounced updates or revisions. One of the oldest security maxims is, of course, that you can’t secure what you can’t see. This is certainly the case when protecting API usage. Organizations are unaware of the existence of many, even less aware of how they operate, and have no way of assessing what behavior is going on inside them.

Well-known business APIs are largely not monitored

Even well-known business APIs are largely unmonitored and uncontrolled as companies have no transparency and no way to evaluate behaviors. Attackers can use these APIs to hijack and manipulate core systems with a high success rate. Most analysts agree that business-to-business APIs (aka B2B APIs) will become the number one security threat in a short period of time.

You can’t put the genie back in the bottle — APIs are here to stay, and with good reason. Security or compliance teams can’t cry or the sky falls and hope to stop using them. Instead, security can act as a digital business enabler to manage the enormous potential risk by putting in place a system and processes that detect and monitor all APIs, automatically assessing their behavior and responding to significant anomalies. Digital business needs trust, but it doesn’t have to be blind.


Leave a Reply

Your email address will not be published. Required fields are marked *