Just over two months ago at Identiverse, we announced the acquisition of Elastic Beam, a startup leveraging artificial intelligence (AI) to stay ahead of the rapidly shifting landscape of attacks on APIs.
Today, we’re excited to announce the general availability (GA) of PingIntelligence for APIs, a solution designed to bring advanced API cybersecurity to API infrastructure of all kinds, including gateway and app server-based API environments.
API Security Today
For large organizations, APIs represent a path to accomplishing many of the goals outlined in their digital transformation plans. Private (or invite-only) APIs can help ease integrations and reduce development costs while enabling access to legacy data sources. And public (or open) APIs can accelerate a product’s time to value while supporting new business models and industry ecosystems. The transformative nature of APIs is fueling an accelerated adoption curve. And it’s clear to many that those who are rapidly adopting APIs throughout their organizations are often accelerating right past the unique vulnerabilities APIs can present.
“By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” - Gartner Research, “How to Build an Effective API Security Strategy”
In defense of developers everywhere building APIs to bring about transformative change, it’s not as if they’re leaving the door wide open. In fact, Gartner survey results cited that the most commonly used capability (64% of respondents) of full lifecycle API management solutions is advanced API access control, often through the use of OAuth 2.0.
Source: Critical Capabilities for Full Life Cycle API Management, Gartner Research
Beyond access control, which includes API authentication and authorization, some enterprises also take advantage of security capabilities provided by API gateway and web application firewall (WAF) vendors such as transport security (TLS/SSL), traffic throttling and content inspection/validation. Combined, these provide a foundational set of security capabilities to protect APIs from attackers, but is this level of protection enough?
APIs and Policy-Based Security: Unfortunately Not Enough
APIs are proliferating faster than security teams can keep up with them. Secure software development practices meant to ensure the security of web applications can add weeks to development timelines and weren’t designed for API development. Many have taken steps to accelerate the process by leveraging policy templates based on application risk, but the highly diverse nature of APIs and their usage patterns also makes this practice insufficient. As an example, hundreds of write transactions in one day may be normal for one API but may represent an attack on another. And depending on the client, thousands of write transactions every so often on that same API could represent entirely legitimate behavior.
This diversity in use extends to traffic volume and type, session length, authentication type, client type and much more, which presents a significant problem for policy-based API security solutions, including gateways. If policies are too restrictive, the user experience will suffer. If policies are too lax, it could present a security vulnerability. And when multiple APIs are introduced onto enterprise networks each day, creating the right policy templates becomes extremely difficult.
Enterprise security teams could also build unique policies for each API, but it would introduce significant complexity and overhead costs while hampering the delivery timeline for new APIs. According to the Cloud Elements State of API Integration 2018 Report, over 50% of net new API integrations are built in under 30 days.
None of this is to mention the fact that policies are often implemented to address known vulnerabilities, such as those outlined in the OWASP Top 10. Many of the recent high profile “leaky API” attacks leveraging unique and novel API attack vectors have gone unchecked by policy and rule-based solutions allowing hackers to breach the organization defenses -- using APIs. Hackers are also already increasing their chances of successful API breaches by leveraging artificial intelligence in attacks which adapt as soon as they run into policy defined roadblocks. And as the use of AI for malicious purposes increases, the need for an AI based defense does too.
API Security is a Big Data Problem
A survey on API security conducted by Ovum, found that 44% of respondents spend over 50 hours a month setting or monitoring rate limits. Why? Because IT and security practitioners are attempting to manually balance security, user experience and business operations. Patterns of legitimate API use can change rapidly according to the business requirements of those consuming APIs. And remaining in contact with multiple business stakeholders to determine when and how those requirements might change is time consuming. And these efforts mights be in vain. Hackers are now attacking and disabling API services with small numbers of API requests, often making the use of rate limiting a futile excercise.
Whether APIs are internal or external-facing, single-purpose or aggregate, or even microservices APIs, they all are subject to rapid and significant fluctuations in the types and volume of clients who need access as well as the types and number of transactions they’ll need to perform. This makes distinguishing between the legitimate use of an API and an API cyberattack extremely difficult with existing policy-based solutions. This is why an approach beyond policy for protecting API infrastructures is needed. One that uses AI to identify the "needle in the haystack" and deliver an increased level of intelligence into how each API is accessed and used.
API Gateways and PingIntelligence for APIs: A Better Together Story
API gateways' full lifecycle API management solutions provide security capabilities vital to the protection of APIs. Combining these capabilities with PingIntelligence for APIs delivers deeper insight into all API activity and protects the APIs -- and the data and apps they connect -- with AI based cyber attack detection and automated blocking. Together, you’ll be able to secure your API infrastructure with advanced access control (e.g. OAuth 2.0) and prevent breaches from common API attacks with an award-winning API security solution.
And join us for a panel discussion if you’re interested in learning how to secure your APIs like the professionals. The virtual event on September 17th will feature discussion from nationally recognized thought leaders in the API space.