Monday, May 22, 2023

Are Your APIs Leaking Sensitive Data?

It's no secret that data leaks have become a major concern for both citizens and institutions across the globe. They can cause serious damage to an organization's reputation, induce considerable financial losses, and even have serious legal repercussions. From the infamous Cambridge Analytica scandal to the Equifax data breach, there have been some pretty high-profile leaks resulting in massive consequences for the world's biggest brands.

Breaches can also have a huge impact on individuals as well – ultimately leading to the loss of personal information, such as passwords or credit card details, which could be used by criminals for malicious purposes. Most notably victims are left vulnerable to identity theft or financial fraud.

When you think about the sheer volume of these leaks, one would imagine that the world would stop and focus on the attack vector(s) being exploited. The unfortunate reality is the world didn't stop. To make things more interesting, the most prominent attack vector is likely not what you or anyone thinks. Believe it or not, application programming interfaces (APIs) are a leading culprit of exposure and compromise.

That's right, hackers are increasingly exploiting APIs to gain access to and exfiltrate sensitive data. In 2022 alone, 76% of cybersecurity professionals admitted to experiencing an API security related incident. If that wasn't attention-grabbing enough, US businesses incurred upwards of $23 billion in losses from API-related breaches during the same time period. And unfortunately, many organizations are just starting to take notice.

With that said, in this article, we'll explore the potential consequences of data leaks, the role and impact APIs have, as well as how organizations can protect themselves from these risks.

Protecting data traversing your APIs

If you work in IT, it's obvious how essential security controls are to prevent sensitive data from being exposed or leaked. As such, organizations must take extra steps to protect their data from unauthorized access. Companies should invest in the latest security measures and ensure that all employees are aware of the importance of protecting sensitive information. If you haven't gotten the picture by now, this exercise should definitely include investing in API security.

Surprisingly to many technology professionals, API traffic now represents over 80% of the current internet traffic, with API calls growing twice as fast as HTML traffic. When you unpack this statistic, it becomes rapidly clear that APIs interact with all types of data - including sensitive data like credit card information, health records, social security numbers, etc. However, not as much attention is paid to securing APIs like that of network, perimeter, and application security. To be honest, many organizations struggle with even knowing how many APIs they actually have.

Pretty alarming, right? As the old saying goes, you can't protect what you can't see. And without an accurate API inventory and insight into sensitive data traffic, you cannot adequately address potential vulnerabilities and data leakage.

API gateways and web application firewalls (WAFs) only provide limited visibility into your API estate, as they only reveal API traffic that's routed through them. Also keep in mind that API inventory is more than just a number. You need to know how many APIs you have, including shadow and zombie APIs, as well as the types of data they engage with. Which is the other downside about WAFs and gateways – they simply don't provide visibility into the types of sensitive data that traverse your APIs. Without it, there can be dire consequences if sensitive data is ever exposed.

Adhering to compliance regulations

When you consider the increasing amount of data being collected and stored, satisfying data compliance regulations is equally important to securing sensitive data. That may sound a little strange considering how interdependent both practices are, but data compliance covers a wide range of topics, including privacy policies, data security measures, and customer rights.

To address variables like industry, geography, and data type, regulators around the world continue to enact and expand requirements for how organizations handle sensitive information, such as GDPR, HIPAA, PCI DSS, CCPA, and so on.

Adhering to these regulations can help protect the privacy of customers, prevent data breaches, and ensure that the collected data is secure and protected from unauthorized access or misuse. Which means identifying where data resides, where it's moved to, as well as where it's accessed from is critical to ensuring compliance and avoiding costly fines.

Again, this is where APIs play a major role. APIs are the connective tissue between your applications and devices. Whether you realize it or not, your organization's sensitive data is traversing APIs. Unfortunately, the idea of maintaining compliance within an organization is still very much thought of an exercise solely involving legacy infrastructure. Business and IT leaders need to pivot quickly as compliance is taking on a whole new dimension with the advent of APIs. API visibility should be paramount as sensitive data leaks can lead to some hefty compliance violations.

How to secure your APIs and sensitive data

Traditional application security solutions have been fundamental in cybersecurity stacks. However, despite their track record of success, APIs present unique security challenges that these solutions can't address. As we established earlier, API gateways and WAFs only provide visibility into the API traffic that passes through them.

When it comes to having the right tools, you need to invest in API security controls across the software development lifecycle to ensure your APIs are protected from code to production. It's really the only tangible strategy if you are serious about protecting your sensitive data and staying compliant with data privacy regulations. The four pillars that comprise a purpose-built API security platform are API discovery, posture management, runtime protection, and API security testing. Let's take a quick look at each and how they help you protect your sensitive data:

  • API Discovery: API discovery enables you to identify and inventory all your APIs across all data sources and environments.
  • Posture Management: Posture management provides a comprehensive view of traffic, code, and configurations to assess the organization's API security posture. also identifies all forms of sensitive data moving through the APIs.
  • Runtime Protection: Powered by AI and ML-based monitoring, runtime tools detect anomalies and potential threats in your API traffic, and facilitates remediation based on your preselected incident response policies.
  • API Security Testing: API security testing seeks to eliminate vulnerabilities before production, reduce risk, and thereby strengthen your compliance program.

As you can see, a comprehensive API security platform is required to gain complete control over your sensitive data. However, it also can be a bit overwhelming. With that said, a good place to start is by familiarizing yourself with posture management. Considering this facet is where personally identifiable information (PII) is classified and organized, it's probably best to begin here. You can download a free copy of the Definitive Guide to API Posture Management to get started.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News

No comments:

Post a Comment