Carlos Rodriguez Iturria is a Director of Data Integration, API and Security with foryouandyourcustomers.
Foryouandyourcustomers is a consulting boutique with 20 different offices across Europe and APAC. They specialize around all aspects of data. API security is one of our strongest core capabilities. They can help you explore and maximize the use of your APIs to be effectively secured, governed and designed for reusability and consumption.
A bird sitting on a tree is never afraid of the branch breaking, because her trust is not on the branch but on its own wings. This line is very profound.
No matter what you do, there is no way you can avoid cyber-attacks, but you can avoid data breaches.
It is exactly the same way how you know solution architects design solutions, based on failures that are going to happen eventually. In this case, it is not about if we are going to be having cyber-attacks, it is when we are going to receive a cyber-attack. When that happens, we want to ensure that we do not have a data breach.
We know APIs are important. APIs are everywhere. In the last few years APIs adoption has exploded. In the last year, we saw an exponential growth of 200% with the use of APIs because APIs are providing that level of business agility and speed. There are going to be many new APIs coming all the time, and there will evolution on the existing APIs. This is creating a problem that we call API explode effect. This means that IT does not have enough capacity or capability to continue ensuring that all APIs are protected and secure. This creates issues. Around 76% of organizations we spoke to have said that they have been breached in the last couple of years.
So, as an end user, I am worried about my personal data. I don’t know how my data and personally identifiable information is being shared and how it is being used.
As a technologist, I am excited, because it is a great opportunity to fix this problem.
Common reasons of data breaches
Known vulnerabilities – in most cases, data breaches are because of known vulnerabilities. But these come to light only after the breach.
Rogue, zombie or shadow APIs – We leave many APIs even when we are not using them. They are running when they should not be running. APIs should have a lifecycle and should be retired or evolve into another version as we progress. But, in reality, this is not the case.
External exposures, credentials or keys – We believe that we are protecting our APIs, because everything is properly authenticated and authorised. But if the credentials or keys are not in our control, our APIs are exposed.
Operator errors – This is one of the most common reasons of data breach. Security misconfigurations in infrastructure and services create entry points that can be exploited.
Undiscovered vulnerabilities and bugs – No software can be 100% bug free. Cyber criminals seek to identify and exploit undiscovered vulnerabilities lurking in your APIs.
Data breaches happen in two phases of the lifecycle of an API. One is when an API is already running in production serving customers serving end users. The second is, when we are developing and testing those APIs. There should be enough ability to discover these vulnerabilities before they are deployed.
Risk evaluation aims to reduce the financial impact of data breaches, cyber-attacks and operational disruptions. Five pillars to look at –
- Enterprise API inventory – Have an API asset inventory and discovery. We need to go into the actual network, study the requests and communication and the catalog the API inventory. Everything that provides data can be hacked, so we have to be careful. Ensure you have schema documentation for these APIs.
- Uncover API vulnerabilities – Check vulnerabilities and prioritize remediation.
- API attack management – You should have an API security solution that tells you what can be done to stop an attach without human intervention. The detection and prevention of attackers and suspicious behavior in real-time is important.
- Post-mortem analysis – Post-mortem analysis is important. If there is an attack, you need to know if that attack resulted in a data breach.
- Penetration testing is very important. This will identify those vulnerabilities on your APIs before they are pushed into production. You can remediate those before they are deployed.
To summarize, if you are not thinking of these points, then you are at a high risk of data breach.