The dangerous connections that can damage your business: why API security is critical in the digital business era

by Mark Perry, APAC Chief Technology Officer at Ping Identity

Gone are the days when developing and deploying applications was an expensive and time-consuming exercise which could take companies months – and millions of dollars – to complete.

That twentieth century, resource-heavy modus operandi has been superseded by a development model which allows enterprises to buy or build applications swiftly and link them with other core solutions to create their own customised digital eco-systems.

Central to the model is the API – a form of digital gateway or intermediary which enables systems and applications to communicate and share data simply and easily.

It’s a faster, cheaper and more flexible way of doing things but it comes with a catch. APIs can provide an easy ‘in’ for high-tech hijackers, unless businesses implement robust API security measures.

Counting the cost of unsecured APIs

We’ve seen some of the world’s largest and most digitally advanced businesses fall short on this score in recent years. They include Facebook, which had 50 million user accounts compromised by hackers who used its developer APIs to obtain access to members’ profile information in 2018, and SnapChat, which fell victim to similar attacks in 2014.

Closer to home, high profile, publicly listed property valuer LandMark White hit the headlines in early 2019 when around 140,000 valuation records and supporting documents were exposed, as a result of an API vulnerability in one of its valuation platforms.

The incident has had a significant effect on the firm’s reputation – and its financial health. Trading in its shares was suspended twice, after the breach was disclosed to the country’s privacy watchdog, the Office of the Australian Information Commissioner (OAIC).

Under the Notifiable Data Breaches scheme, organisations with turnover in excess of $3 million must notify the OAIC and affected parties within 28 days of becoming aware of a breach likely to result in serious harm to the individuals whose personal data was involved.

A number of major lenders halted their dealings with LandMark White while it raced to resolve the issue; a situation which impacted the firm’s revenues, profitability and cash flows, according to its statement to the ASX on February 19 requesting share trade be suspended.

LandMark White’s share price was down by as much as 47 per cent when trading finally resumed in early May and, by its own reckoning, the firm lost $7 million, as a result of the incident.

Understanding the risk

It’s a cautionary tale for other Australian businesses – but what can they do to reduce the chances of falling victim to similar attacks via API?

Understanding the size and nature of the risk is a good start and it’s impossible for businesses to formulate and enact protection strategies until they do.

The process begins with keeping track of each and every API across the enterprise. That can be no mean feat for businesses that have dozens or hundreds of APIs embedded within a plethora of systems.

Little surprise, then, that many organisations have failed to rise to the challenge to date. More than 50 per cent aren’t confident their IT teams are aware of all the APIs they currently have in use, according to a 2018 survey of businesses, carried out by Ping Identity.

Locking down the enterprise

Once the API ‘stocktake’ is complete, penetration testing can be used to identify the vulnerabilities that need to be addressed.

Weak authentication procedures, poor session management and security misconfigurations are common attack vectors. All are easy to strengthen.

Ensuring only legitimate users are given access to APIs can be achieved by implementing secure authentication and authorisation controls. Rotating API keys and requiring users to regenerate them regularly can reduce the likelihood of their being compromised.

Meanwhile, basic security controls such as SSL/TLS should be applied to all communications, to protect the integrity of data exchanges.

Advanced cyber-security technology can also be applied to the API layer to provide more robust protection than these traditional measures are able to offer.

Monitoring systems incorporating machine learning can be deployed to automatically scan meta data, profile user behaviour over time and flag anomalies that might indicate a breach or unauthorised access.

It’s an efficient answer to the perennial challenge of manual monitoring; an unfeasible proposition in busy IT environments where the number of daily access requests can total in the tens of thousands.

Time to act

Advances in API technology have made it possible for businesses in Australia and globally to reduce the cost of deploying and connecting solutions that contribute to productivity and growth.

Reducing the risk these core systems, and the key data they contain, will be compromised via an insecure API layer makes sound sense for enterprises that want to avoid becoming cyber-security statistics in 2019.