The  ZTA  approach  has  a  basic  two-step  method  for  establishing  and  governing  policies  for  these
            decisions: on the one end, policy decision points (PDPs) are used to model and govern the policies. On
            the other, policy enforcement points (PEP) enforce those decisions.

            Organizations that use many APIs can do this most effectively with an API gateway (or, as frequently
            happens in larger organizations, multiple gateways) – but a truly universal approach to API governance
            is needed for the most accurate view.

            Universal governance doesn’t mean adding more gateways; different teams may want to keep their API
            gateways from different vendors or with different configurations. Rather, it is a governance layer that
            offers greater control over security and compliance for all APIs. Teams should be able to keep their
            flexibility, and the organization gets the final say in what is exposed or not.

            Observability is key: only a complete, centralized overview of all APIs, regardless of where they are –
            vendor-agnostic, multi-cloud, on-prem, hybrid – can bring all of an organization’s APIs securely into view.

            If you rely on an API gateway to accelerate ZTA efforts, be sure to adopt a token-based API access and
            authorization solution (e.g., OAuth or OpenID Connect) if you don’t already. By combining the two  –
            universal API governance and a token-based strategy for API access and authorization – it is possible to
            implement the strategy of least privilege, a security concept that limits a user's level of access to only the
            task at hand.



            A secure foundation gives organizations the confidence to open up

            To meet complex enterprise security requirements and adapt to the future, ZTA infrastructure that uses
            APIs, token-based access, and authorization in addition to API gateways, can be customized through
            distributed policy enforcement.

            In  the  era  of  multi-cloud,  on-premises,  and  distributed  installations,  these  capabilities  will  prove
            increasingly  important  for  anyone  looking  to  improve  API  security  in  the  short  and  long  term.  But
            ultimately, the true value in API development is realized when they are adopted, not when they are built
            or secured.


            A recent study on API adoption found that 96% of IT decision makers are prioritizing securing digital
            experience in their API initiatives right now. But just as many of them (97%) are also seeking to improve
            customer experience, and 84% hope to enter new markets with their APIs.

            A secure foundation gives enterprises the confidence to unlock the true value of API products by exposing
            them on an API marketplace. By bringing them into one place for better adoption, management, and
            security, it is possible to fulfill the true potential of APIs to drive faster digital business outcomes.











            Cyber Defense eMagazine – December 2022 Edition                                                                                                                                                                                                         103
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.