In an ideal world, APIs are intended to streamline cloud computing processes. But it's not always that black and white. There's a gray area where APIs, when left unsecured, can open lines of communication that allow individuals to exploit private data. And there are numbers to back up the reality of this threat.
In 2018 alone, insufficient API security was the cause of at least half a dozen high-profile data breaches. By 2022, Gartner estimates that APIs will be the vector used most frequently in attacks involving enterprise application data.
What Makes Insecure APIs Such a Looming Threat?
One reason cybercriminals are drawn to cloud APIs is that they have become the norm in IT infrastructures. According to a recent study from Imperva, over two-thirds of organizations expose APIs to the public so business partners and external developers can access software platforms. The study results also indicated that the typical organization manages an average of 363 APIs, and 61% of organizations reported that their business strategy relies on API integration.
As dependency on APIs increases, cybercriminals have found two common ways to leverage them for malicious purposes.
The Exploitation of Inadequate Authentication
In some cases, developers create APIs without authentication. As a result, these interfaces are completely open to the internet, and anyone can use them to access enterprise systems and data. Think of it as walking around a neighborhood trying doors until you find one left unlocked.
Profiting From Increased Use of Open Source Software
A component-based approach to software development has become commonplace in the IT world. To save time, many developers incorporate open source software into their code. This can leave many applications open to supply chain attacks. For instance, a developer could download components from public online Docker hubs that are unknowingly tainted with cryptocurrency mining code.
The Best Defense Against Insecure Cloud APIs
To avoid accidental or malicious data exposure via APIs, businesses should consider adopting the following best practices:
Encourage developers to practice good "API hygiene." APIs should be designed with authentication, access control, encryption and activity monitoring in mind. API keys must be protected and not reused.
Rely on standard API frameworks that are designed with security in mind. Examples of this include the Open Cloud Computing Interface (OCCI) and the Cloud Infrastructure Management Interface (CIMI).
Ensure complete visibility into the enterprise security environment. Even with comprehensive policies for cloud API design, security issues are never off the table. Businesses must invest in solutions that provide complete visibility—like network detection and response—so security teams can quickly identify and address API security risks.
To see what network detection and response could reveal about your cloud environment, check out the free trial (in AWS) of ExtraHop Reveal(x) 360.