Addressing API vulnerabilities

            Until  now,  organizations  have  often  approached  security  by  placing  their  trusted  infrastructure  and
            applications  within  a  defined  perimeter,  with  a  key  priority  of  protecting  the  company's  assets  and
            networks from unauthorized external access. Unfortunately, just because the hosts that share a trust
            zone are nominally protected from hackers outside the enterprise does not mean they are sufficiently
            protected from each other.

            In fact, systems were left at greater risk of attack as intruders posed as internal users to breach perimeter
            security  and  then  move  freely  across  the  network.  A  hacker  could  then  access the  victim's  internal
            resources and steal information. The perimeter is no longer an effective barrier to intrusion, whether it's
            due to resources being increasingly moved to the cloud or the widespread use of telecommuting.

            APIs  are  major  entry  points  into  systems  and  will  continue  to  be  key  elements  of  data  access
            management. But their usual defense mechanism - the use of API keys to limit access to a certain API -
            has shown its limitations, particularly because the keys can be stolen or are already in circulation. This
            weakness, now identified, makes it more difficult to validate the true identity of the caller when submitting
            an API.



            Reduce the security perimeter to protect individual assets


            To ensure enterprise security, strong authentication techniques and ensuring proper API configuration
            have become essential. And the ZTA approach can provide just that extra layer of protection.

            However, it is critical to remember that a ZTA is not a standalone IT infrastructure architecture. It is an
            approach that recognizes that attacks can come from both inside and outside the network and, therefore,
            no one can be trusted, not even bots.

            The  "Zero  Trust"  approach  includes  a  set  of  best  practices  to  strengthen  security  through  more
            sophisticated protection of corporate assets. For science fiction fans, you could think of it as force fields
            around each asset: in this case, it makes more sense to consider individual protection than to try to
            protect the whole spaceship.




            Accessibility must remain an essential consideration

            Implementing a ZTA infrastructure means that internal and external entities are treated the same. Neither
            can access resources until they have been validated and have proven to be who they say they are,
            according to the company's rules. This rigor applies to all resources and communications, which must be
            governed by well-defined access restrictions. Applications and services must constantly authenticate any
            entity attempting to access a resource.

            Organizations must therefore focus on certain key considerations, such as whether it is acceptable for
            each person to access a particular piece of information from a given location, regardless of where they
            are located. Can this microservice accept data from another microservice?




            Cyber Defense eMagazine – December 2022 Edition                                                                                                                                                                                                         102
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.