Protecting APIs from data breaches with zero trust security

You have read the headlines: over and over again, hackers gather the private data of millions of users. In recent breaches, hackers accessed the data of millions of customers through an unsecured or vulnerable API. A similar breach occurred less than a year ago when the personal data of close to 10 million customers was accessed from an Australian private health insurer.

Importance of zero trust architecture

These cases highlight the importance of zero trust principles that eliminate the inherent trust in the system in order to limit movement and data exposure in case of a breach. 

The two key components of every zero trust architecture (ZTA) are a policy decision point (PDP) and a policy enforcement point (PEP). Together, the two components determine whether access to a specific resource should be allowed or denied. 

It is important to protect APIs with a PEP. It is also critical that upstream environments have sufficient integration with PEPs in order to attest that a policy decision was made all the way down the chain. Perimeter gateway-based trust alone is not zero trust.

You can read more about the importance of zero trust in this white paper.

APIs, API gateways, and security

APIs are critical to any business as they allow applications to communicate and work together. An API gateway, a component that sits between the APIs and various clients or services, provides a standardized way to access the data and strives to make the API communication manageable and secure. In addition to securing the APIs, the gateways can provide other features such as authentication, analytics, and others. 

For an in-depth overview of API gateways, check out the API gateways in the cloud native world blog post

There are a couple of best practices to follow whenever working with APIs and API gateways. One of the principles of ZTA talks about reducing any implicit trust zones and making them as small as possible. We can achieve that by implementing separate API gateways for each use case. This also includes separating the internal and external APIs. 

If the APIs aren’t consumed externally, there’s no real need to expose them like that. Additionally, it is critical that gateway policy management allows for global controls around the degree of authentication required for external APIs, and that environments behind the gateway can attest that those controls were applied to incoming traffic.

We also need to consider the API’s lifecycle and manage deprecated and unused APIs. Keeping unused and deprecated APIs around can present a security risk, especially if they need to be maintained and upgraded. An API gateway can help with this as it allows us to measure and analyze the usage. Unused APIs or APIs that receive an unusual amount of traffic should be the ones you pay attention to.

This brings us to the monitoring and analytics aspect of the API gateways. Centralized metrics and logs that capture information about traffic and requests allow us to get visibility into potential threats before they get exploited by bad actors. 

You can read about other key best practices to secure the API gateway

How can help has worked with many customers to implement modern, cloud native API gateways for improved developer productivity with a focus on resiliency and security. 

We offer a robust modern API gateway platform – Gloo Gateway – that leverages the foundations of open source tools like Istio and Envoy. 

Gloo Gateway is a feature-rich next-generation API gateway, built for highly dynamic environments with decentralized ownership in mind. Gloo gateway enables robust API gateway security by providing defense-in-depth:

  • TLS and mTLS
  • Secrets management (in Kubernetes and using Hashicorp Vault)
  • Extensive authentication, including API keys, JSON web tokens (JWT), lightweight directory access protocol (LDAP), OAuth, OpenID Connect (OIDC), and custom services
  • Built-in web application firewall (WAF)
  • Built-in data loss prevention (DLP)
  • Federated RBAC
  • Open policy agent for authorization 
  • Integrated vulnerability scanner

 Want to learn how to secure your APIs using zero trust security?

Click here to talk to an expert.