Almost Half of Enterprises Experience Substantial API Security and Privacy Issues
February 28, 2022

Jason Needham
Cloudentity

Application programming interfaces (APIs) are the underpinnings of digital transformation and represent 83% of all web traffic. Serving as the fabric of modern service delivery and app development, the logic and sensitive data APIs can expose have made them a high-value target for cybercriminals. In fact, the amount of API cyberattacks has spiked in the last year. According to Enterprise Strategy Group (ESG) analysts, "attackers are setting their sights on unprotected APIs, and API attacks will see a banner year in 2022."

To study common API issues and how IT practitioners are facing these challenges, Cloudentity conducted its 2021 State of API Security, Privacy and Governance Survey with independent research firm Pulse QA. The report highlights how enterprises are advancing API-first programs in their organization and reveals key issues, drivers, maturity, investments and benefits. It surveys 300 technology decision-makers and practitioners responsible for API management and security in large organizations across industries such as financial services, healthcare, retail, high tech and consumer packaged goods (CPG).

The findings of the study revealed that in just the last 12 months, a staggering 44% of enterprises have experienced substantial API security issues concerning privacy, data leakage and object property exposure. Given this significant problem, let's take a closer look at the other key findings of the survey and discuss how enterprises can take better control of their API security to improve data governance and privacy practices.

1. Only 2% of enterprise IT practitioners feel completely confident in their organization's ability to reduce API security issues such as unauthorized access, data privacy, compliance risk and security threats.

This finding is surprising, given the prevalence of API attacks in 2021 alone. In addition, Gartner predicts that by 2022, API attacks will become the most frequent attack vector, causing data breaches for enterprise web applications. Security teams and IT professionals must be aware of the added risk APIs bring due to the widened attack surface when exchanging sensitive data across APIs and learn how to mitigate this risk. The API security survey also measured the top five contributors to API identity and authorization risk. The top five were identified by IT practitioners as component-driven development complexity, difficulty to diagnose issues and lack of data lineage, and inconsistent security policy management and enforcement controls.

To secure every API, enterprises should implement solutions that provide fine-grained authorization with the intelligence to understand the specific conditions and parameters in which data can be shared. Modern authorization technologies and techniques can securely verify both user and service identity while mitigating inconsistencies and errors associated with traditional identity and access management (IAM) solutions. A Zero Trust approach is also critical to determine the "who, what, where, when and why” of each transaction and to define each policy and user permissions based on their context.

2. The vast majority, 97%, of enterprises experienced delays in releasing new apps and service enhancements due to identity and authorization issues with APIs and services.

In addition to the security concerns involved, delays in releasing new apps and services can hurt a company's revenue when time-to-market goals are not met. To overcome these delays, many enterprises are adopting pre-built solutions to automate application authorization and consent, which speeds up deployments and time-to-market for new services.

With modern application authorization and consent, enterprises have increased visibility and control over where API data is shared and how it flows between APIs and distributed services, whether it is on-premise or in the cloud. In turn, this improves the organization's development agility, mitigates risk and enables faster delivery of new applications and enhancements.

3. Looking ahead, 93% of organizations plan to increase budget and resources applied to secure API development and security programs, and the majority (64%) plan an increase as much as 15%.

Enterprise IT practitioners' top motivators for investing in API security and governance initiatives are reducing human error in manual coding, preventing data leakage of sensitive information, compliance, data privacy and threat prevention. The top five API security initiatives include extending authentication and authorization controls down to APIs and microservices, implementing Zero Trust controls, invoking declarative authorization (policy as code), implementing micro-segmentation, and facilitating API discovery, classification and inventory.

In addition, the survey showed that the financial services industry intends to spend 15% more budget on API security than other sectors, with compliance and privacy priorities driving them to make larger investments.

Planning API Security Strategies for 2022

Two-thirds of cloud breaches can be attributed to misconfigured APIs, so it's clear that this is an issue that IT and security teams can no longer afford to overlook. Nevertheless, APIs are essential for driving new digital business revenue growth for enterprises as they extend data to partners and customers. Organizations need to improve their API access controls to govern how information is shared, as well as scale policy enforcement across an expanding set of data endpoints. The requirements for managing API access are getting stricter and more complex with regulation and user data privacy requirements, so now, customers have increased control of how their data is being shared with each third party.

Progressing API security is paramount to ensure the integrity, management and protection of internal and external-facing APIs and service pathways. As part of API-first programs, developers, IT practitioners and security teams are endeavoring to modernize their applications and protect each and every API transaction, including those between the services that they deliver. This means a Zero Trust approach for API access, which provides a critical layer of protection for APIs. This is critical regardless of where data is being shared, whether it's to another application service, a partner, a customer, or a remote IoT device. The goal is every data request needs to be authorized and auditable in real-time.

Jason Needham is CEO of Cloudentity
Share this

Industry News

September 22, 2022

Katalon announced the launch of the Katalon Platform, a modern and comprehensive software quality management platform that enables teams of any size to easily and efficiently test, launch, and optimize apps, products, and software.

September 22, 2022

StackHawk announced its Deeper API Security Test Coverage release.

September 21, 2022

Platform9 announced the launch of its latest open source project, Arlon.

September 21, 2022

Redpanda Data announced Redpanda Console.

September 21, 2022

mabl announced its availability as a private listing on Google Cloud Marketplace.

September 21, 2022

Zesty announced a $75 million Series B funding round led by B Capital and Series A investor Sapphire Ventures.

September 20, 2022

Opsera, the Continuous Orchestration platform for DevOps, announced a free trial of its no-code Salesforce Release Management platform for fast and secure Salesforce releases.

September 20, 2022

Sysdig announced ToDo and Remediation Guru.

September 20, 2022

AutoRABIT announced CodeScan Shield.

September 19, 2022

Akuity.io announced the general availability of the Akuity Platform, a fully-managed SaaS service for simpler, safer and faster Kubernetes application delivery, using Argo.

September 19, 2022

Rocket Software launched Rocket® Support for Zowe, a supporting offering for the Open Mainframe Project’s Zowe® open-source framework for z/OS® and its multiple modern interfaces.

September 19, 2022

Appfire announced the acquisition of German company 7pace.

September 15, 2022

Dell Technologies is expanding its long-standing strategic relationship with Red Hat to offer new solutions that simplify deploying and managing on-premises, containerized infrastructure in multicloud environments.

September 15, 2022

Postman announced Postman v10, the most significant upgrade to the platform in almost a year, offering new features around API governance and security, as well as expanded capabilities in collaboration and integration—and higher productivity than ever.

September 15, 2022

Harness announced the general availability of fully managed Harness GitOps-as-a-Service to enable enterprise continuous delivery (CD) workflows for application and infrastructure deployments.