Recommendations for Mitigating the Rising Risk of API Access

April 13, 2021

For a decent number of years now as an Intragen consultant, I’ve had the privilege of meeting numerous organisations in different verticals to discuss the challenges around identity and access governance (IAG). Mostly those discussions have been focusing on employee and external identity use cases.

In essence, all these complex discussions can be broken down to the three 'W's:

  • Who is who,
  • What level of access they have to systems and services,
  • and last but definitely not least Why do they have that access.

Governing employee and external user access is a good foundation to start on, but the governance journey does not stop there. If the key driver is to improve security and be compliant, governing employees, externals and privileged users do not account for governing all access. For a few years now there has been a rising risk-bucket that needs to be addressed.

The API in the room

The risk-bucket is of course API Access. The amount of API accesses within organisations has grown dramatically, driven by the rise of DevOps practices and large-scale initiatives like Industry 4.0 and Open Banking that essentially require companies to allow third parties secure access to their data.

Even without these initiatives the global race for better efficiency has led companies to outsource a lot of supportive functions like invoicing to an online service and these services are usually called via an API. All web-based applications usually communicate through an API, REST being probably the most current standard at the moment.

Blog Featured Image (1)

Why would you want to govern API access? Because it is a blind spot, and according to Gartner it will be the biggest attack surface in 2022 which means they will be the most common entry point for data breaches. This is a considerable risk. And just like with any risk, to mitigate it you first need to identify it. Here’s how I would start:

  • Identify all APIs used to access your organisations services or functions,
  • Assess the risk of each API based on the data and functionality exposure,
  • Formulate the API governance and security practice.

If your organisation has an access management solution in place they usually have some level of API Security capabilities that you should look at. For example, Ping Identity offers very thorough API Security features that allow you to gain proper control and governance over your API infrastructure.

If you are interested in API Security in more detail and without any vendor glitter, I recommend checking the API security guidelines that The Open Web Application Security Project (OWASP) has put together which you can download for free here.

No matter how you choose to proceed to increase your API security it is important that you do.

I’m happy to help you on any questions you may have, just connect with me on LinkedIn or drop me a message. 

- Kalle Niemi, Intragen Business Consultant