Application programming interfaces (APIs) are the underpinnings of digital transformation and represent 83% of all web traffic. Serving as the fabric of modern service delivery and app development, the logic and sensitive data APIs can expose have made them a high-value target for cybercriminals. In fact, the amount of API cyberattacks has spiked in the last year. According to Enterprise Strategy Group (ESG) analysts, "attackers are setting their sights on unprotected APIs, and API attacks will see a banner year in 2022."
To study common API issues and how IT practitioners are facing these challenges, Cloudentity conducted its 2021 State of API Security, Privacy and Governance Survey with independent research firm Pulse QA. The report highlights how enterprises are advancing API-first programs in their organization and reveals key issues, drivers, maturity, investments and benefits. It surveys 300 technology decision-makers and practitioners responsible for API management and security in large organizations across industries such as financial services, healthcare, retail, high tech and consumer packaged goods (CPG).
The findings of the study revealed that in just the last 12 months, a staggering 44% of enterprises have experienced substantial API security issues concerning privacy, data leakage and object property exposure. Given this significant problem, let's take a closer look at the other key findings of the survey and discuss how enterprises can take better control of their API security to improve data governance and privacy practices.
1. Only 2% of enterprise IT practitioners feel completely confident in their organization's ability to reduce API security issues such as unauthorized access, data privacy, compliance risk and security threats.
This finding is surprising, given the prevalence of API attacks in 2021 alone. In addition, Gartner predicts that by 2022, API attacks will become the most frequent attack vector, causing data breaches for enterprise web applications. Security teams and IT professionals must be aware of the added risk APIs bring due to the widened attack surface when exchanging sensitive data across APIs and learn how to mitigate this risk. The API security survey also measured the top five contributors to API identity and authorization risk. The top five were identified by IT practitioners as component-driven development complexity, difficulty to diagnose issues and lack of data lineage, and inconsistent security policy management and enforcement controls.
To secure every API, enterprises should implement solutions that provide fine-grained authorization with the intelligence to understand the specific conditions and parameters in which data can be shared. Modern authorization technologies and techniques can securely verify both user and service identity while mitigating inconsistencies and errors associated with traditional identity and access management (IAM) solutions. A Zero Trust approach is also critical to determine the "who, what, where, when and why” of each transaction and to define each policy and user permissions based on their context.
2. The vast majority, 97%, of enterprises experienced delays in releasing new apps and service enhancements due to identity and authorization issues with APIs and services.
In addition to the security concerns involved, delays in releasing new apps and services can hurt a company's revenue when time-to-market goals are not met. To overcome these delays, many enterprises are adopting pre-built solutions to automate application authorization and consent, which speeds up deployments and time-to-market for new services.
With modern application authorization and consent, enterprises have increased visibility and control over where API data is shared and how it flows between APIs and distributed services, whether it is on-premise or in the cloud. In turn, this improves the organization's development agility, mitigates risk and enables faster delivery of new applications and enhancements.
3. Looking ahead, 93% of organizations plan to increase budget and resources applied to secure API development and security programs, and the majority (64%) plan an increase as much as 15%.
Enterprise IT practitioners' top motivators for investing in API security and governance initiatives are reducing human error in manual coding, preventing data leakage of sensitive information, compliance, data privacy and threat prevention. The top five API security initiatives include extending authentication and authorization controls down to APIs and microservices, implementing Zero Trust controls, invoking declarative authorization (policy as code), implementing micro-segmentation, and facilitating API discovery, classification and inventory.
In addition, the survey showed that the financial services industry intends to spend 15% more budget on API security than other sectors, with compliance and privacy priorities driving them to make larger investments.
Planning API Security Strategies for 2022
Two-thirds of cloud breaches can be attributed to misconfigured APIs, so it's clear that this is an issue that IT and security teams can no longer afford to overlook. Nevertheless, APIs are essential for driving new digital business revenue growth for enterprises as they extend data to partners and customers. Organizations need to improve their API access controls to govern how information is shared, as well as scale policy enforcement across an expanding set of data endpoints. The requirements for managing API access are getting stricter and more complex with regulation and user data privacy requirements, so now, customers have increased control of how their data is being shared with each third party.
Progressing API security is paramount to ensure the integrity, management and protection of internal and external-facing APIs and service pathways. As part of API-first programs, developers, IT practitioners and security teams are endeavoring to modernize their applications and protect each and every API transaction, including those between the services that they deliver. This means a Zero Trust approach for API access, which provides a critical layer of protection for APIs. This is critical regardless of where data is being shared, whether it's to another application service, a partner, a customer, or a remote IoT device. The goal is every data request needs to be authorized and auditable in real-time.