Owner security

Role of Identity in API Security

Digital identities play an important role in an organization’s security program. But the idea of ​​“identity” in APIs can be complex, said Jeff Williams, CTO and co-founder of Contrast Security, in an email interview.

“People think of APIs as a way for two software applications to communicate,” Williams explained. For example, if a mobile phone application calls a company’s public web APIs, the “identity” is simply the end user. But what if that public web API then sends requests to internal APIs or third-party external APIs? Where is the identity? Is it the end user or the Web API identity? Or both?

“It can get a lot more complex because the API chain includes serverless functions and other APIs,” Williams continued. “In some cases we should pass the ‘nested’ identity and in others not. But it is an important concept and organizations need to define their identity strategy so as not to end up in chaos.

Overall, identity is essential to the operation of APIs and, in turn, essential to API security. “There’s no permission or accountability without identity,” Williams said. It is therefore very important to track not only the identity of the most recent hop in a flow of transactions, but also the originating identity and possibly other nested identities.

Authentication and Authorization in API Security

Identity security relies on having the right sets of permissions to access applications within the infrastructure. According to Michelle McLean, vice president of product marketing at Salt Security, having proper authentication and access authorization is therefore essential to prevent API risks and data exfiltration.

“If a malicious actor is able to access a single API in an organization’s environment due to inappropriate access controls, then attackers can elevate their privileges and obtain inadvertent permissions to manipulate and modify different APIs and API calls, which can ultimately have detrimental consequences and be costly to bounce back,” McLean said. “If an API lacks proper authentication and authorization checks, an attacker can exploit a genuine credential session to access a user account.”

It’s easy to become overly dependent on identity as a security mechanism for APIs, and this overreliance can create another layer of risk.

“While identity-anchored authentication and authorization is an important starting point, it’s not the complete answer to protecting APIs,” McLean said. In fact, the majority of API attacks are propagated against authenticated endpoints and often by authenticated users.

The Role of Identity in API Security

Because identity is rather easy to manipulate, McLean pointed out, API security is evolving to rely on much more than identity.

“Combining identity with user behavior bases, analyzing big data over time, and other forms of anomaly detection are essential for effective API security,” McLean said. “Organizations should seek to bolster their identity access controls with additional and more robust protections, including attack prevention, identification of sensitive data exposure, and remediation information gleaned during execution.”

At the same time, security teams are doing a better job of getting the message across that identity isn’t just a username and password, and this awareness will help clarify the role of security. Identity in API Security.

“Organizations need to have a flexible definition of identity, with layers of trust. Identity can include notions of place, behavior, technology and time,” Williams said.

For example, there is a tendency not to question an identity because it is associated with a specific account or set of credentials, doing an activity they have done many times before and from a place where they are usually found. But if that request comes from a new place or at a strange time, it should be viewed with skepticism. Behavioral analysis tools are advantageous for the security of APIs surrounding identity in these cases.

“It’s critical that APIs keep up with evolving authentication and identity models,” Williams said.