Getting API sprawl under controlDevops leaders are pressured to deliver digital transformation projects on time and under budget while developing and refining APIs at the same time. Unfortunately, API management and security is an issue to consider as development teams rush to complete projects on time. As a result, the proliferation of APIs was rapid, multiplying when not all the company’s development teams had the APIs and security management tools they needed. More and more teams of devops need a solid and scalable methodology to limit the proliferation of APIs and give them the least privileged access. Additionally, DevOps teams need to move API management to a trustless framework to help reduce the growing number of breaches occurring today. The recent webinar sponsored by Cequence Security and Forrester, Six Stages Required for API Protection, hosted by Ameya Talwalkar, founder and CEO and guest speaker Sandy Carielli, Principal Analyst at Forrester, provide valuable insights into how devops teams can protect APIs. In addition, their discussion highlights how devops teams can improve API management and security.
In the largest organizations, you’re dealing with hundreds of applications with APIs that expand and soon you’re dealing with tens of thousands or hundreds of thousands of APIs. So, the management and tracking of them become much harder and you still need all these different pieces to protect them.” Sandy Carielli, principal analyst at Forrester.Cequence Security’s approach to solving the challenges of API protection starts with Discovery or identifying all public-facing APIs first and progresses to inventory, compliance, detection, prevention, and detection.
I will tell you that when I first started getting calls about API security, you know what question number one almost always was, or problem number one always was was that discovery piece.” Sandy Carielli, principal analyst at Forrester.Inferred from the webinar is the need for APIs to be managed as the vulnerable, unprotected open threat surfaces they are. Cybercriminals know how unprotected APIs are, sending the attack rates into triple-digit growth rates. APIs need to be managed using a zero-trust framework.
API threat surfaces need zero trustAPI breaches at Capital One, JustDial, Venmo, Panera Bread, T-Mobile, the United States Postal Service, and others illustrate that thousands of APIs are left unprotected and are one of cybercriminals’ favorite attack surfaces. APIs need the least privileged access and be managed using a more microsegmentation-based approach. These two elements of zero trust combined with an Identity and Access Management (IAM) framework to organize APIs will reduce the number of rogue and lost APIs all enterprises are having trouble tracking today. Additionally, applying least privilege, microsegmentation and IAM will reduce the number of endpoints used for internal tests left open that can access APIs.
API lifecycles need to be built on zero trustSecurity doesn’t need to be a constraint on devops anymore. Having zero trust engrained into API lifecycles starts by not trusting client-supplied data and having a default deny process to remove all implicit trust. Devops leaders need to build authentication into every phase of API lifecycles. The goal needs to be to design explicit trust into every API development and deployment project or initiative.
Getting API governance right with zero trustDevops leaders and their teams need help balancing their businesses’ ever-increasing needs for APIs to support new digital transformation projects versus the need to stay in compliance. Given the pressure to produce APIs so fast, devops teams accelerate business benefits first and attempt to catch up on compliance, security and privacy as development schedules allow. There must be a shift to API-level trust, with security context defined for each type of API produced.
Strengthening CI/CD and SDLC with zero trustAttacks on source code supply chains clarify that zero trust must be core to continuous integration/continuous delivery (CI/CD) and SDLC devops frameworks and processes. SolarWinds-level attacks that successfully change core executables of an application and then infect an entire supply chain are making zero trust an urgent issue for devops teams to deal with today. Security stops being a roadblock to getting code out when it’s designed into the SDLC. SDLC cycles would also run faster because security would cease to be a bolt-on process pushed to the end of a project, improving governance simultaneously.
API security is too important to be a bolt-onDevops team leaders rush through release cycles for their APIs to get large-scale digital transformation projects out, often seeing security as a roadblock to getting work done. Security checks and audits on APIs aren’t often finished, only completed at the cursory level. Everyone on the devops teams is pressured to meet or beat code release dates. API security becomes the bolt-on process no one has the time to deal with, contributing to API sprawl. When zero trust becomes a design goal for APIs and devops processes, security gets designed and strengthened throughout the SDLC. IAM and microsegmentation will drastically improve inventory accuracy, reducing the threat of rogue or forgotten APIs bringing an entire platform or company down with a cyberattack.
IT Modernization Success Although the thought of mainframe migration can be intimidating, it is a crucial step that businesses must
Businesses all over the world have realised how important artificial intelligence (AI) is to driving change and company expansion. Many
With edge computing, it has always been possible to leverage “big data” (a term we now hardly ever hear) more
In recent years, the physical security sector has seen significant change. In this constantly changing business, cutting-edge technology advancements and