Why Use Zero-Trust for API Security

Think of APIs as the new network; interconnected in complex ways and with API interactions happening both within and outside  of the organization.

“Public-facing APIs—for example, consumer banking—are usually a key area of focus when it comes to zero-trust,” said Dunne. “This is due to the obvious risk exposure when APIs are documented and made available on the public internet.”

However, the larger risk is found in private and internal APIs, because there is a common assumption that since they aren’t documented or found on a public network, they aren’t exposed.

But as threat actors become more sophisticated in their search for and discovery of private APIs, there is increased risk of the bad guys gaining access to massive amounts of sensitive data. Private APIs need the same layers of protection as public-facing APIs.

“APIs are, by definition, atomic in nature—meaning they can be invoked independently,” explained Setu Kulkarni, vice president, strategy at NTT Application Security in an email interview. “That creates a real challenge for securing these APIs.”

Given that, Kulkarni added, a critical consideration for implementing zero-trust in APIs is to ensure that there is appropriate access control built into the API implementation. Every API function call requires not just authentication but also authorization. Also, adding zero-trust around session validation helps to prevent unintended data leakage.

Integrating Zero-Trust in APIs

API Security in Action