Almost Half of Enterprises Experience Substantial API Security and Privacy Issues
February 28, 2022

Jason Needham
Cloudentity

Application programming interfaces (APIs) are the underpinnings of digital transformation and represent 83% of all web traffic. Serving as the fabric of modern service delivery and app development, the logic and sensitive data APIs can expose have made them a high-value target for cybercriminals. In fact, the amount of API cyberattacks has spiked in the last year. According to Enterprise Strategy Group (ESG) analysts, "attackers are setting their sights on unprotected APIs, and API attacks will see a banner year in 2022."

To study common API issues and how IT practitioners are facing these challenges, Cloudentity conducted its 2021 State of API Security, Privacy and Governance Survey with independent research firm Pulse QA. The report highlights how enterprises are advancing API-first programs in their organization and reveals key issues, drivers, maturity, investments and benefits. It surveys 300 technology decision-makers and practitioners responsible for API management and security in large organizations across industries such as financial services, healthcare, retail, high tech and consumer packaged goods (CPG).

The findings of the study revealed that in just the last 12 months, a staggering 44% of enterprises have experienced substantial API security issues concerning privacy, data leakage and object property exposure. Given this significant problem, let's take a closer look at the other key findings of the survey and discuss how enterprises can take better control of their API security to improve data governance and privacy practices.

1. Only 2% of enterprise IT practitioners feel completely confident in their organization's ability to reduce API security issues such as unauthorized access, data privacy, compliance risk and security threats.

This finding is surprising, given the prevalence of API attacks in 2021 alone. In addition, Gartner predicts that by 2022, API attacks will become the most frequent attack vector, causing data breaches for enterprise web applications. Security teams and IT professionals must be aware of the added risk APIs bring due to the widened attack surface when exchanging sensitive data across APIs and learn how to mitigate this risk. The API security survey also measured the top five contributors to API identity and authorization risk. The top five were identified by IT practitioners as component-driven development complexity, difficulty to diagnose issues and lack of data lineage, and inconsistent security policy management and enforcement controls.

To secure every API, enterprises should implement solutions that provide fine-grained authorization with the intelligence to understand the specific conditions and parameters in which data can be shared. Modern authorization technologies and techniques can securely verify both user and service identity while mitigating inconsistencies and errors associated with traditional identity and access management (IAM) solutions. A Zero Trust approach is also critical to determine the "who, what, where, when and why” of each transaction and to define each policy and user permissions based on their context.

2. The vast majority, 97%, of enterprises experienced delays in releasing new apps and service enhancements due to identity and authorization issues with APIs and services.

In addition to the security concerns involved, delays in releasing new apps and services can hurt a company's revenue when time-to-market goals are not met. To overcome these delays, many enterprises are adopting pre-built solutions to automate application authorization and consent, which speeds up deployments and time-to-market for new services.

With modern application authorization and consent, enterprises have increased visibility and control over where API data is shared and how it flows between APIs and distributed services, whether it is on-premise or in the cloud. In turn, this improves the organization's development agility, mitigates risk and enables faster delivery of new applications and enhancements.

3. Looking ahead, 93% of organizations plan to increase budget and resources applied to secure API development and security programs, and the majority (64%) plan an increase as much as 15%.

Enterprise IT practitioners' top motivators for investing in API security and governance initiatives are reducing human error in manual coding, preventing data leakage of sensitive information, compliance, data privacy and threat prevention. The top five API security initiatives include extending authentication and authorization controls down to APIs and microservices, implementing Zero Trust controls, invoking declarative authorization (policy as code), implementing micro-segmentation, and facilitating API discovery, classification and inventory.

In addition, the survey showed that the financial services industry intends to spend 15% more budget on API security than other sectors, with compliance and privacy priorities driving them to make larger investments.

Planning API Security Strategies for 2022

Two-thirds of cloud breaches can be attributed to misconfigured APIs, so it's clear that this is an issue that IT and security teams can no longer afford to overlook. Nevertheless, APIs are essential for driving new digital business revenue growth for enterprises as they extend data to partners and customers. Organizations need to improve their API access controls to govern how information is shared, as well as scale policy enforcement across an expanding set of data endpoints. The requirements for managing API access are getting stricter and more complex with regulation and user data privacy requirements, so now, customers have increased control of how their data is being shared with each third party.

Progressing API security is paramount to ensure the integrity, management and protection of internal and external-facing APIs and service pathways. As part of API-first programs, developers, IT practitioners and security teams are endeavoring to modernize their applications and protect each and every API transaction, including those between the services that they deliver. This means a Zero Trust approach for API access, which provides a critical layer of protection for APIs. This is critical regardless of where data is being shared, whether it's to another application service, a partner, a customer, or a remote IoT device. The goal is every data request needs to be authorized and auditable in real-time.

Jason Needham is CEO of Cloudentity
Share this

Industry News

October 03, 2023

Parasoft announced new advancements in its Continuous Quality Platform for functional solutions, which include Parasoft Virtualize, SOAtest, CTP, and DTP.

The latest releases introduce capabilities including:

- GenAI integration for API testing

- Comprehensive microservices code coverage

- Web accessibility testing

- Powerful learning mode for creating and updating virtual assets

These innovations are set to transform the landscape of software testing for enterprise application development and test teams.

October 03, 2023

LinearB announced the release of free DORA Metrics dashboards.

October 03, 2023

PerfectScale, a provider of Kubernetes optimization, has successfully closed $7.1 million in seed funding.

October 02, 2023

Spectro Cloud announced Palette EdgeAI to simplify how organizations deploy and manage AI workloads at scale across simple to complex edge locations, such as retail, healthcare, industrial automation, oil and gas, automotive/connected cars, and more.

September 28, 2023

Kong announced Kong Konnect Dedicated Cloud Gateways, the simplest and most cost-effective way to run Kong Gateways in the cloud fully managed as a service and on enterprise dedicated infrastructure.

September 28, 2023

Sisense unveiled the public preview of Compose SDK for Fusion.

September 28, 2023

Cloudflare announced Hyperdrive to make every local database global. Now developers can easily build globally distributed applications on Cloudflare Workers, the serverless developer platform used by over one million developers, without being constrained by their existing infrastructure.

September 27, 2023

Kong announced full support for Kong Mesh in Konnect, making Kong Konnect an API lifecycle management platform with built-in support for Kong Gateway Enterprise, Kong Ingress Controller and Kong Mesh via a SaaS control plane.

September 27, 2023

Vultr announced the launch of the Vultr GPU Stack and Container Registry to enable global enterprises and digital startups alike to build, test and operationalize artificial intelligence (AI) models at scale — across any region on the globe. \

September 27, 2023

Salt Security expanded its partnership with CrowdStrike by integrating the Salt Security API Protection Platform with the CrowdStrike Falcon® Platform.

September 26, 2023

Progress announced a partnership with Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, to help ensure the long-term maintainability and modernization of business-critical applications built on the Progress® OpenEdge® platform.

September 26, 2023

Solace announced a new version of its Solace Event Portal solution that gives organizations with Apache Kafka deployments better visibility into, and control over, their Kafka event streams, brokers and associated assets.

September 26, 2023

Reply launched a proprietary framework for generative AI-based software development, KICODE Reply.

September 26, 2023

Harness announced the industry-wide Engineering Excellence Collective™, an engineering leadership community.

September 25, 2023

Harness announced four new product modules on the Harness platform.