Almost Half of Enterprises Experience Substantial API Security and Privacy Issues
February 28, 2022

Jason Needham
Cloudentity

Application programming interfaces (APIs) are the underpinnings of digital transformation and represent 83% of all web traffic. Serving as the fabric of modern service delivery and app development, the logic and sensitive data APIs can expose have made them a high-value target for cybercriminals. In fact, the amount of API cyberattacks has spiked in the last year. According to Enterprise Strategy Group (ESG) analysts, "attackers are setting their sights on unprotected APIs, and API attacks will see a banner year in 2022."

To study common API issues and how IT practitioners are facing these challenges, Cloudentity conducted its 2021 State of API Security, Privacy and Governance Survey with independent research firm Pulse QA. The report highlights how enterprises are advancing API-first programs in their organization and reveals key issues, drivers, maturity, investments and benefits. It surveys 300 technology decision-makers and practitioners responsible for API management and security in large organizations across industries such as financial services, healthcare, retail, high tech and consumer packaged goods (CPG).

The findings of the study revealed that in just the last 12 months, a staggering 44% of enterprises have experienced substantial API security issues concerning privacy, data leakage and object property exposure. Given this significant problem, let's take a closer look at the other key findings of the survey and discuss how enterprises can take better control of their API security to improve data governance and privacy practices.

1. Only 2% of enterprise IT practitioners feel completely confident in their organization's ability to reduce API security issues such as unauthorized access, data privacy, compliance risk and security threats.

This finding is surprising, given the prevalence of API attacks in 2021 alone. In addition, Gartner predicts that by 2022, API attacks will become the most frequent attack vector, causing data breaches for enterprise web applications. Security teams and IT professionals must be aware of the added risk APIs bring due to the widened attack surface when exchanging sensitive data across APIs and learn how to mitigate this risk. The API security survey also measured the top five contributors to API identity and authorization risk. The top five were identified by IT practitioners as component-driven development complexity, difficulty to diagnose issues and lack of data lineage, and inconsistent security policy management and enforcement controls.

To secure every API, enterprises should implement solutions that provide fine-grained authorization with the intelligence to understand the specific conditions and parameters in which data can be shared. Modern authorization technologies and techniques can securely verify both user and service identity while mitigating inconsistencies and errors associated with traditional identity and access management (IAM) solutions. A Zero Trust approach is also critical to determine the "who, what, where, when and why” of each transaction and to define each policy and user permissions based on their context.

2. The vast majority, 97%, of enterprises experienced delays in releasing new apps and service enhancements due to identity and authorization issues with APIs and services.

In addition to the security concerns involved, delays in releasing new apps and services can hurt a company's revenue when time-to-market goals are not met. To overcome these delays, many enterprises are adopting pre-built solutions to automate application authorization and consent, which speeds up deployments and time-to-market for new services.

With modern application authorization and consent, enterprises have increased visibility and control over where API data is shared and how it flows between APIs and distributed services, whether it is on-premise or in the cloud. In turn, this improves the organization's development agility, mitigates risk and enables faster delivery of new applications and enhancements.

3. Looking ahead, 93% of organizations plan to increase budget and resources applied to secure API development and security programs, and the majority (64%) plan an increase as much as 15%.

Enterprise IT practitioners' top motivators for investing in API security and governance initiatives are reducing human error in manual coding, preventing data leakage of sensitive information, compliance, data privacy and threat prevention. The top five API security initiatives include extending authentication and authorization controls down to APIs and microservices, implementing Zero Trust controls, invoking declarative authorization (policy as code), implementing micro-segmentation, and facilitating API discovery, classification and inventory.

In addition, the survey showed that the financial services industry intends to spend 15% more budget on API security than other sectors, with compliance and privacy priorities driving them to make larger investments.

Planning API Security Strategies for 2022

Two-thirds of cloud breaches can be attributed to misconfigured APIs, so it's clear that this is an issue that IT and security teams can no longer afford to overlook. Nevertheless, APIs are essential for driving new digital business revenue growth for enterprises as they extend data to partners and customers. Organizations need to improve their API access controls to govern how information is shared, as well as scale policy enforcement across an expanding set of data endpoints. The requirements for managing API access are getting stricter and more complex with regulation and user data privacy requirements, so now, customers have increased control of how their data is being shared with each third party.

Progressing API security is paramount to ensure the integrity, management and protection of internal and external-facing APIs and service pathways. As part of API-first programs, developers, IT practitioners and security teams are endeavoring to modernize their applications and protect each and every API transaction, including those between the services that they deliver. This means a Zero Trust approach for API access, which provides a critical layer of protection for APIs. This is critical regardless of where data is being shared, whether it's to another application service, a partner, a customer, or a remote IoT device. The goal is every data request needs to be authorized and auditable in real-time.

Jason Needham is CEO of Cloudentity
Share this

Industry News

May 19, 2022

Jellyfish announced the launch of Jellyfish Benchmarks, a way to add context around engineering metrics and performance by introducing a method for comparison.

May 19, 2022

Solo.io announced the addition and integration of Cilium networking into its Gloo Mesh platform, providing a complete application-networking solution for companies’ cloud-native digital transformation efforts.

May 19, 2022

Aqua Security announced multiple updates to Aqua Trivy, making it a unified scanner for cloud native security.

May 18, 2022

Red Hat unveiled updates across its portfolio of developer tools designed to help organizations build and deliver applications faster and more consistently across Kubernetes-based hybrid and multicloud environments.

May 18, 2022

Armory announced public early access to their new Continuous Deployment-as-a-Service product.

May 18, 2022

DataCore Software announced DataCore Bolt, enterprise-grade container-native storage software for DevOps.

May 17, 2022

DevOps Institute, a global professional association for advancing the human elements of DevOps, announced the release of the Upskilling IT 2022 report.

May 17, 2022

Replicated announced a host of new platform features and capabilities that enable their customers to accelerate enterprise adoption of their Kubernetes applications.

May 17, 2022

Codefresh announced that its flagship continuous delivery (CD) platform will be made accessible as a fully-hosted solution for DevOps teams seeking to quickly and easily achieve frictionless, GitOps-based continuous software delivery in the cloud.

May 16, 2022

Red Hat announced new capabilities and enhancements across its portfolio of open hybrid cloud solutions aimed at accelerating enterprise adoption of edge compute architectures through the Red Hat Edge initiative.

May 16, 2022

D2iQ announced a partnership with GitLab.

May 16, 2022

Kasten by Veeam announced the new Kasten by Veeam K10 V5.0 Kubernetes data management platform.

May 12, 2022

Red Hat introduced Red Hat Enterprise Linux 9, the Linux operating system designed to drive more consistent innovation across the open hybrid cloud, from bare metal servers to cloud providers and the farthest edge of enterprise networks.

May 12, 2022

Couchbase announced version 7.1 of Couchbase Server.

May 12, 2022

Copado added Copado Robotic Testing to Copado Essentials.