Page 103 - Cyber Defense eMagazine December 2022 Edition
P. 103
The ZTA approach has a basic two-step method for establishing and governing policies for these
decisions: on the one end, policy decision points (PDPs) are used to model and govern the policies. On
the other, policy enforcement points (PEP) enforce those decisions.
Organizations that use many APIs can do this most effectively with an API gateway (or, as frequently
happens in larger organizations, multiple gateways) – but a truly universal approach to API governance
is needed for the most accurate view.
Universal governance doesn’t mean adding more gateways; different teams may want to keep their API
gateways from different vendors or with different configurations. Rather, it is a governance layer that
offers greater control over security and compliance for all APIs. Teams should be able to keep their
flexibility, and the organization gets the final say in what is exposed or not.
Observability is key: only a complete, centralized overview of all APIs, regardless of where they are –
vendor-agnostic, multi-cloud, on-prem, hybrid – can bring all of an organization’s APIs securely into view.
If you rely on an API gateway to accelerate ZTA efforts, be sure to adopt a token-based API access and
authorization solution (e.g., OAuth or OpenID Connect) if you don’t already. By combining the two –
universal API governance and a token-based strategy for API access and authorization – it is possible to
implement the strategy of least privilege, a security concept that limits a user's level of access to only the
task at hand.
A secure foundation gives organizations the confidence to open up
To meet complex enterprise security requirements and adapt to the future, ZTA infrastructure that uses
APIs, token-based access, and authorization in addition to API gateways, can be customized through
distributed policy enforcement.
In the era of multi-cloud, on-premises, and distributed installations, these capabilities will prove
increasingly important for anyone looking to improve API security in the short and long term. But
ultimately, the true value in API development is realized when they are adopted, not when they are built
or secured.
A recent study on API adoption found that 96% of IT decision makers are prioritizing securing digital
experience in their API initiatives right now. But just as many of them (97%) are also seeking to improve
customer experience, and 84% hope to enter new markets with their APIs.
A secure foundation gives enterprises the confidence to unlock the true value of API products by exposing
them on an API marketplace. By bringing them into one place for better adoption, management, and
security, it is possible to fulfill the true potential of APIs to drive faster digital business outcomes.
Cyber Defense eMagazine – December 2022 Edition 103
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.