.png)
%20risks%20overlooking%20API-based%20access%20to%20sensitive%20application%20functionality%20and%20data.%20Read%20how%20to%20add%20API%20protection%20to%20ZTA.)
Cloud Migration. COVID19. Globalization. IT infrastructure, data and users are much more geographically dispersed than ever. The traditional concept of a security perimeter is much less relevant. This is leading many organizations to adopt Zero Trust Architecture (ZTA) principles, many of which focus on assessing user trust and governing access to sensitive networks, systems, and data through primary user interfaces. But many ZTA initiatives overlook the increased prevalence of API-based access to sensitive application functionality and data as they are designing ways to assess trust on a continuous basis.
In the sections that follow, we'll highlight some of the points of intersection between APIs and ZTA. We'll also outline some initial steps that you can take to extend your ZTA to include APIs.
What is Zero Trust?
Zero Trust Architecture principles were introduced to mainstream enterprise security audiences by Forrester Research in 2010. Zero Trust has evolved greatly since then – both by Forrester and by numerous other industry stakeholders, including NIST in Special Publication 800-207 (NIST SP 200-807).
In simple terms, a Zero Trust Architecture assumes that no user or device can be implicitly trusted by default and should be subject to assessment every time access to a sensitive resource is attempted – and then continuously thereafter.
For many years, ZTA was more of a discussion topic than something that organizations were pursuing in the real-world. But with the global migration of workers to their homes induced by the COVID-19 pandemic, many organizations were forced to push forward with tangible plans for adoption of ZTA principles.
For example, in a January 2022 national security memorandum (NSM-8), the Biden administration directed all U.S. federal agencies to develop a plan for ZTA adoption based on NIST SP 200-807 and other related guidance within 60 days. Similar initiatives continue to take shape in the private sector.
Where do APIs and Zero Trust intersect?
NIST SP 200-807 outlines seven basic tenets of ZTA. While these tenets encompass much more than API-based access to application functionality and data, they also have very clear points of intersection with an organization’s API strategy.
The table below includes the seven basic tenets of ZTA as defined in NIST SP 200-807 with recommendations on aligning your organization's API security practices with them.
| Basic Tenets of Zero Trust Architecture | API Security Implications |
|---|---|
|
Tenet 1: “All data sources and computing services are considered resources.” |
Many of the applications and data sources within the scope of ZTA are accessible via APIs in addition to direct user interfaces. So API interfaces should be included in your ZTA assessment and policy enforcement model. |
|
Tenet 2: “All communication is secured regardless of network location.” |
Even if APIs are only intended for internal use within a private data center or cloud environment, encryption, authentication, and authorization should be implemented as though it is external-facing, to ensure data confidentiality and integrity. |
|
Tenet 3: “Access to individual enterprise resources is granted on a per-session basis.” |
Trust should be evaluated before access to an API resource is granted. Access should be granted with the least privileges possible. Behavioral analytics should be used to monitor API usage and continuously assess trust. |
|
Tenet 4: “Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.” |
In order to apply ZTA to APIs, you need to be able to identify the entities involved, infer business context, and use behavioral analytics to identify deviations from normal usage patterns. A behavioral attribute of note is service-denial via rapid API calls. This is why a lack of API rate limiting is an OWASP API Top 10 vulnerability. As NIST notes, “These rules and attributes are based on the needs of the business process and acceptable level of risk.” |
|
Tenet 5: “The enterprise monitors and measures the integrity and security posture of all owned and associated assets.” |
This requirement is based on the Continuous Diagnostics and Mitigation (CDM) concept defined by U.S. Cybersecurity and Infrastructure Security Agency (CISA). CDM includes elements such as asset management, vulnerability management, and configuration / settings management. Just like physical assets, APIs must be continuously discovered, classified, and tracked. Similarly, ongoing vulnerability assessments should extend beyond traditional network and application security vulnerabilities to include possible API-based vulnerabilities. |
|
Tenet 6: “All resource authentication and authorization are dynamic and strictly enforced before access is allowed.” |
This concept can and should be extended to APIs. Organizations adopting ZTA should perform continuous monitoring of API usage and take automated responses (e.g., block, limit, revoke credentials) when anomalistic or abusive behavior is detected within authenticated and authorized API traffic. |
|
Tenet 7: “The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.” |
In order to be an effective element of a ZTA, your API security measures must be capable of capturing data over extending time periods – ideally sufficient time to detect subtle API abuse. This level of detail is necessary to perform behavioral analytics for both real-time risk assessment and ongoing improvements to the ZTA design. This includes providing on-demand access to API and threat data to threat hunters for use in identifying possible policy improvements. Similar integration points should also be created with the development and operational tools and workflows that your teams use. |
What API protection techniques should be included in a Zero Trust Architecture?
One of the biggest challenges that most organizations adopting ZTA have is deciding where to start. In the case of API security, implementing the following capabilities will make an immediate impact on your security posture while also giving you the foundation you need to incorporate API security into your future ZTA plans.
- Implement continuous API discovery and maintain accurate inventory of all APIs and API-accessible assets.
- As unsanctioned APIs are discovered, ensure that systematic workflows are in place to either bring them into management or eliminate them.
- Implement sound API authentication and authorization regardless of whether APIs are public or private.
- Proactively identify API vulnerabilities, starting with OWASP API Top 10 – as an ongoing discipline.
- Develop the capabilities to analyze large API traffic datasets to baseline normal behavior and perform anomaly detection.
- Feed threat and trust insights into ZTA policy engines as they are implemented through API integrations.
- Initiate automated responses when API vulnerabilities, threats, and abuse are surfaced.
Take the first step
Getting started with ZTA and systematic security can seem daunting. But it doesn’t have to be. Visit neosec.com to access a free trial of our 100 percent cloud-based API security platform.
FEATURED RESOURCE
API Security: Debunking the Myths
Learn the fundamentals of API security. Made for security leaders and practitioners to increase their foundational knowledge about API security and best practices.
DOWNLOAD NOW
