Page 102 - Cyber Defense eMagazine December 2022 Edition
P. 102
Addressing API vulnerabilities
Until now, organizations have often approached security by placing their trusted infrastructure and
applications within a defined perimeter, with a key priority of protecting the company's assets and
networks from unauthorized external access. Unfortunately, just because the hosts that share a trust
zone are nominally protected from hackers outside the enterprise does not mean they are sufficiently
protected from each other.
In fact, systems were left at greater risk of attack as intruders posed as internal users to breach perimeter
security and then move freely across the network. A hacker could then access the victim's internal
resources and steal information. The perimeter is no longer an effective barrier to intrusion, whether it's
due to resources being increasingly moved to the cloud or the widespread use of telecommuting.
APIs are major entry points into systems and will continue to be key elements of data access
management. But their usual defense mechanism - the use of API keys to limit access to a certain API -
has shown its limitations, particularly because the keys can be stolen or are already in circulation. This
weakness, now identified, makes it more difficult to validate the true identity of the caller when submitting
an API.
Reduce the security perimeter to protect individual assets
To ensure enterprise security, strong authentication techniques and ensuring proper API configuration
have become essential. And the ZTA approach can provide just that extra layer of protection.
However, it is critical to remember that a ZTA is not a standalone IT infrastructure architecture. It is an
approach that recognizes that attacks can come from both inside and outside the network and, therefore,
no one can be trusted, not even bots.
The "Zero Trust" approach includes a set of best practices to strengthen security through more
sophisticated protection of corporate assets. For science fiction fans, you could think of it as force fields
around each asset: in this case, it makes more sense to consider individual protection than to try to
protect the whole spaceship.
Accessibility must remain an essential consideration
Implementing a ZTA infrastructure means that internal and external entities are treated the same. Neither
can access resources until they have been validated and have proven to be who they say they are,
according to the company's rules. This rigor applies to all resources and communications, which must be
governed by well-defined access restrictions. Applications and services must constantly authenticate any
entity attempting to access a resource.
Organizations must therefore focus on certain key considerations, such as whether it is acceptable for
each person to access a particular piece of information from a given location, regardless of where they
are located. Can this microservice accept data from another microservice?
Cyber Defense eMagazine – December 2022 Edition 102
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.