API Security – Protect Confidential Company Data

The attack rate on corporate data transmitted via unsecured APIs is increasing, making it more important than ever to protect APIs and the services behind them. The role of API security in the enterprise has therefore become critical. The lack of API security today can in fact lead to massive data loss and economic damage.

APIs Today And Tomorrow

API security is not a buzzword, but rather an increasingly important concept as APIs become prevalent. Based on market research^[1] including input from various industry analysts, it is estimated that in 2021 and 2022 APIs will be the most widely used attack vector on companies and data. With the number of APIs in use growing rapidly, companies must take action to ensure that they are protected, with API security.

What Is API security?

When you think of cyberattacks, images of movie-like hacker activities may enter your mind. Real attacks aren’t quite like they are in the movies, but they are very real. To protect your organization, API security covers a variety of areas, starting with the overall API management structure and API design decisions, followed by technical security mechanisms. API security also includes the API gateway, backend systems and their provided services. This applies to both provision and consumption use cases of APIs.

More and more companies rely on the use of APIs, both internally and externally, providing services for the API consumers as well as consuming external services themselves. This increases the daily number of API calls and API requests, as well as the amount of transferred data, exponentially. In order to protect these data and services, API security has to meet various requirements:

• The right data must be provided to the right user at the right time.
• Sensitive internal company data, such as financial data, should be accessible to authorized users only.
• Backend systems must be safeguarded against possible overload to avoid failures.
• There must be protection for the API, the gateway, and underlying systems to avoid damage or uncontrolled loss of data through access by third parties or unauthorized persons.

The main aspects of API security can therefore be summarized in two categories:

1. API security is about threat protection: protecting data and systems from malicious intent by fending off attacks against the API and the backend. For this purpose API security contains elements such as content validation or traffic management such as throttling.
2. API security is about access control: used for access and rights management, identifies the calling instance and its right to use the API. Access control clarifies which users and applications are allowed to access the API. API security topics like OAuth2.0, JSON Web Tokens or general token validation play a fundamental role here.

The truth is, although API security is important, it is often done improperly, or not at all.

The Effect of Bad API Security Implementation

One of the most famous real-world examples of API security and what can be done with collected data is represented by a famous payment service based in the U.S. This service enables money between individuals. To use this service, a user must create an account by entering basic information such as debit card or credit card information, a username, phone number and/or an email address. A transaction between two persons involves the following information: first and last name, a profile photo, a corresponding message, their Facebook ID, the transaction date and the status of the transaction.

If a user does not adjust the security settings, all transactions are publicly visible by default. For this purpose, the payment service provider even offers a public API, through which all public transactions can be accessed. A public API does not offer any API security features at all. Imagine the consequences of the lack of API security for the protection of data.

An analyst has collected and evaluated all transactions over an entire year. The public API provided all the necessary information. Due to the lack of API security, authentication and authorization mechanisms for the retrieval of data or data filters were non-existent. Therefore, with the help of simple analysis tools, the data could be evaluated and in some cases it provided very detailed information about individuals including their health conditions, which could be deduced from the available information.

Due to the lack of API security mechanisms, 207,984,218 transactions by 18,429,464 different people could be viewed. Because of these transactions, over 1,700,000 linked Facebook IDs were exposed. Fun fact: Within one year almost 3,000,000 transactions were made for pizza.

If API security mechanisms such as authentication and authorization had been implemented, each person would have been able to see only their own transactions, and not everyone else’s. It also would not have been possible to create profiles like this one, which was created by the analyst: a young woman with a Greek name who has friends in Texas and Mexico City, within 8 months made 865 transactions for soda, alcohol, fast food and sweets. This information would likely be of great interest to a health insurance company.

Imagine this was your critical business data. Wouldn’t you agree that API security is an important aspect of API management?

Do you want to know more about APIs? Read our blogs “What is API integation“, and “What is API management” as well as the next Blog of this series – “API Authentication“.