By Sudeep Padiyar, Senior Director, Product Management at Traceable AI
When Data Loss Prevention (DLP) was conceived as a security concept in the early 2000s, it was largely focused on network perimeters, with efforts towards protecting data in motion across network boundaries. Fast-forward to the present day where the network perimeter has blurred with most applications being deployed in the public cloud and the sensitive data that they access are scattered in several data stores across public and private data centers. In this new landscape, APIs have emerged as the pivotal link for data transfer and business operations, becoming a primary target for hackers. As a result, modern DLP strategies are experiencing a seismic shift, with a renewed emphasis on securing APIs.
Historically, DLP initiatives focused on protecting data traversing these boundaries via web, email, and file transfers. However, the advent of digital transformation, fueled by cloud computing, a mobile workforce, and APIs being the backbone for business, creates a sprawling, decentralized network where sensitive data is frequently in transit, and is accessed from virtually anywhere. This change has dramatically amplified the potential avenues for data loss and breaches resulting in DLP at the API layer being as relevant as Cloud Access Security Brokers (CASB) for SAAS and Data Security Posture Management for IAAS.
Enter APIs: the Invisible Workhorses of the Digital Age
APIs are the bridges enabling software applications to interact, share data, and execute business functions. According to the 2022 Postman State of the API report, organizations are now utilizing an average of 218 APIs – a testament to their increasing pervasiveness and the critical role they play in how applications are consumed. Browsers, mobile apps and API platforms like Postman are now the three most common ways by which modern applications are accessed.
But with this proliferation comes a new set of risks. APIs have become a prime target for hackers due to the vast amount of sensitive data they handle and strong need for authentication and authorization, with several high-profile data breaches in recent years being traced back to API vulnerabilities being exploited by attackers.
This surge in API-related breaches is a clear indicator that API security is no longer an afterthought but a primary requirement in DLP strategies, for several reasons:
- API-centric data breaches: APIs often expose sensitive data in the payload, many times without the right authentication and authorization controls, making them attractive targets for cybercriminals. Their vulnerability to breaches necessitates robust API security measures. Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) being top attack vectors in OWASP API top 10 2023 as well
- Growth in API development and usage: APIs are becoming increasingly ubiquitous. According to the 2022 Postman State of the API report, organizations have an average of 218 APIs, representing a significant increase from previous years. For example, Netflix reportedly receives billions of API calls every day, underscoring how central APIs have become to their operations. Gartner also chimed in on the growth of APIs, stating 94% of organizations use or are planning to use public APIs provided by third parties; up from 52% in 2019; 90% of organizations use or are planning to use private APIs provided by partners; up from 68% in 2019; and 80% organizations provide or are planning to provide publicly exposed APIs; up from 46% in 2019. With this increased reliance comes a higher number of potential points of failure, making API security a growing priority for most CSO’s.
- APIs have become the universal attack vector: What makes APIs so interesting from a hacker’s perspective is that they expand the attack surface across all vectors. They now present the largest attack surface we have ever encountered in the industry. In the past, hackers had to find ways of bypassing existing solutions, such as WAFs, DLP, API Gateways, etc., in order to find data and disrupt systems. Now, they can simply exploit an API, obtain unfettered access to sensitive data, and not even have to exploit the other solutions in the security stack. Hence the API layer has to be the universal defense layer to prevent attacks and utilize the additional detection logic to do so effectively.
- Regulatory compliance: Data protection regulations like GDPR, CCPA, and HIPAA have strict rules on data handling. In October of 2022, we also witnessed the FFIEC make updates to its cybersecurity guidelines – and the update included API security. Ensuring API security is a significant step towards regulatory compliance and avoiding hefty fines.
- Evolution of cyber threats: The cyber threat landscape is rapidly evolving, and bad actors are using increasingly sophisticated methods to exploit vulnerabilities. Credential stuffing, for instance, where attackers automate login requests using stolen credentials, can lead to unauthorized access to APIs. And according to Gartner, last year in 2022, API abuse became the most frequent attack vector for data breaches. Furthermore, they also predict that by next year, 2024, API abuse attacks will double. Account takeover, Bot based attacks and Online Fraud are also being increasingly carried out via API’s. The relentless advancement of such threats necessitates a dedicated focus on API security.
As we navigate the new age of data security, securing APIs is more critical than ever. Organizations must prioritize API security in their DLP strategies, not only to guard against data breaches and meet regulatory compliance but also to fortify their defense against the ever-evolving threats posed by cybercrime.
With APIs becoming the gatekeepers of valuable data, our DLP strategies must pivot towards securing these critical links, transforming our approach to data security in this interconnected digital age.
About the Author
Sudeep Padiyar, Senior Director, Product Management at Traceable AI
Sudeep Padiyar is very passionate about cloud native security and feels the technology we are building at Traceable AI will be the foundation for DevSecOps, API Security and Observability for years to come. Prior to joining Traceable he was at Palo Alto Networks where he started CN-Series – the industry’s first Kubernetes next gen firewall, lead automation initiatives for cloud security and managed cloud network security products. He started his career as an engineer at Cisco building core routers and switched to Product Management for Data Center switching after his MBA from Santa Clara University.
When he is not thinking about technology he likes to coach his kids’ soccer team, play tennis and go for hikes in the SF bay area. He is into teas and likes to brew everything from Masala chai to loose leaf Jasmine tea. He lives in Sunnyvale with his wife and two kids. Sudeep can be reached online at https://www.linkedin.com/in/sudeep-padiyar and our company website https://traceable.ai.