Build your API security strategy on these 4 pillars
Ilya Kabanov
Senior Manager, Cloud Trust and Safety
Anton Chuvakin
Security Advisor, Office of the CISO, Google Cloud
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.
SubscribeSavvy leaders at organizations around the world know that digital transformations can create a virtuous flywheel of more and faster innovation, driven by the power of software integration. APIs can facilitate the necessary software integration and communication, and that requires serious consideration of the organization’s API security posture to better protect its data and digital systems.
The proliferation of APIs has led to expanded attack surfaces and greater inherent risk. A quick scan of the digital landscape shows that traffic generated by APIs now dominates the internet. Google Cloud’s Apigee reports that for their customers alone, API traffic increased 46% between 2019 and 2020.
At the same time, Google Cloud’s 2022 report on API security insights and trends notes that more than 50% of organizations faced an API-related security threat at least once in 2021, confirming that APIs have become a favorite target for threat actors.
This month, we identified five categories of API attacks in a new report, “The Importance of API Security,” that takes a deeper look at how to build better API security systems. These threats include:
Data scraping
Denial of service (DoS)
Injections or malware
Account takeover (ATO)
Scalping and bots
While DoS, injections, and ATO are well-known attacks that came to the API world from web applications, abuse and bots are unique threats for APIs that are by their nature different from security issues. Security leaders should be concerned with how prepared their organizations are for API security threats.
The current state of API security strategy
Our 2022 report on API security insights and trends found that most organizations don’t have a robust API security strategy in place, and that 60% say that their API strategy needs improvement.
Organizations face two primary impediments when establishing and maturing their API security capabilities: A lack of resources, and a lack of experience. Even leaders who are committed to securing APIs may end up deploying fragmented solutions across their organization, which could inadvertently create a false sense of security.
So what’s the best way forward when it comes to protecting APIs?
Taking a defense-in-depth approach
We believe that layering API defense mechanisms that support each other but are otherwise independent is an effective way to stop adversaries. Along with our additional insights into a rapidly-changing API threat landscape in our “Importance of API Security” report, we also provide recommendations on launching an API-first security strategy that builds on four pillars:
Essential API security controls and protections enforced for all APIs through a common API management platform, creating a no-exception approach that leaves no space for uncontrolled API exposure
Protection against DDoS and exploits with an adaptive cloud protection suite that includes a WAF, machine-learning-based DDoS protection, and a threat intelligence capability
Anti-bot protection to keep APIs and exposed resources safe from fraudulent activity, spam, and abuse
Adherence to safe API coding principles to prevent the most common classes of security issues upfront
You can read the report here, and reach out to the Google Cybersecurity Action Team to learn more.