Smarter Security – Is It Time for a New Approach to API Protection

by Mark Perry, APAC Chief Technology Officer at Ping Identity

Digital disruption has resulted in the creation of a myriad of new business models and partnership ecosystems, in an era where collaboration and integration are no longer just nice-to-haves; they’re the currency of competitive advantage.

An explosion in the use of application programming interfaces (APIs) has underpinned much of this transformation. Programmable Web, the de facto journal of the API economy, has documented an extraordinary growth trend since the late 2000s – and one that shows little sign of stopping.

More than 60 per cent of companies believe API integration is critical to their business strategy, according to research published earlier this year.

It’s a trend which has seen many Australian businesses find ways to extract additional value from existing resources and bring new solutions to market faster.

Many organisations have opened their APIs to third party developers, in a bid to broaden their reach, deliver innovative services and generate new revenue streams.

Financial institutions, healthcare providers and retailers have led the charge, with a plethora of initiatives to improve the way they interact with customers, share data with other stakeholders to deliver better outcomes and enhance their levels of service.

APIs also form the vital connective tissue that’s enabled the rise of another hot trend – the Internet of Things (IoT).

They are the interface through which things – from fitness trackers through to maintenance sensors and vehicle location trackers – are connected to the internet, to other devices on the network and to the apps and devices which individuals use to interact with them.

Mind the gap – where traditional API security falls short

Given APIs are the foundation of so many strategic and business critical initiatives, ensuring they can’t be disrupted or used inappropriately to enable fraud, theft or breaches of privacy is vital.

To date, the cyber security sector has failed to keep pace with the API explosion and foolproof security measures to safeguard sensitive data and applications are yet to be released.

APIs expand the ‘attack surface’ of the enterprise but are often not adequately protected by traditional security defences. A typical approach to API might focus on securing access to APIs through the use of identity security solutions and API gateways.

Access control of this nature is powerful but unfortunately not comprehensive. A complementary set of security capabilities is needed to address threats including API-specific denial of service attacks, log-in attacks and application and data attacks.

Given this, expanding the security tool box to accommodate the unique protection requirements of APIs has become an imperative.

The high-tech haystack

Identifying suspicious activity amidst a sea of API traffic is a big data nightmare. Trying to locate a single rogue transaction among tens of thousands can be the high-tech equivalent of searching for a needle in a haystack.

Aside from the sheer volume of traffic, IT staff must contend with multiple types of APIs being used in an array of ways, including in support of applications such as mobile and voice. Separating attacks from legitimate activity is no easy feat in these circumstances and writing policies which work for all APIs is well-nigh impossible.

Meanwhile, new threats continue to emerge, as the digital landscape evolves and hackers become increasingly emboldened – and ever more sophisticated in their assaults.

Does AI hold the answer?

Intelligent API security is shaping up to be a promising answer to this burgeoning issue. Artificial intelligence and machine learning are excellent tools to tackle the challenge of detecting malicious intent within vast amounts of transaction data. They also have the capacity to evolve in situ, as new threats emerge.

AI can be used to identify and block API attacks by learning the range of normal behaviour patterns associated with each API, across multiple environments and sets of circumstances. Over time, anomalous behaviour can be flagged, without written policies or prior knowledge of new attack patterns.

AI-driven API security software is a solution which has the potential to get better and better. There’s real potential for API security to evolve from the historical access control model into a comprehensive protection solution.

The enhanced protection for data, applications and systems which an AI-powered solution promises to deliver may mean more than just peace of mind for management and IT staff. It’s likely to be the firm footing enterprises need to enable them to continue exploiting new opportunities in the API-driven economy with confidence.

Tags Internet of Things (IoT)artificial intelligence (AI)API Protection

Show Comments