API Security: The Fabric of the Future

Originally published by CXO REvolutionaries.

Written by Sam Curry, VP & CISO, Zscaler.

We cannot solve our problems with the same thinking we used when we created them." - Albert Einstein

The digital landscape is transforming at a breakneck pace. The next frontier? API security. In our interconnected digital world, APIs have become linchpins, the stitches in the fabric that form our increasingly intricate supply networks. More than a supply chain, it's a complex matrix, a "supply fabric," if you will.

APIs are the new supply chain, forming the joints between services, tying together a diverse array of partners, open-source communities, and even competitors. They represent the future of business processes, as critical services grow more reliant on their resilience and anti-fragility.

Our collective focus has been intensely trained on supply chain security for the past two years, a focus echoed by the Administration in its February 24 guidance. But threat actors continue to evolve as they assemble (rather than build in the classic sense) their tools and services, seeking the weakest points for best effect. That leads to the ever more effective and exponentially increasing topography of APIs. It's time to redirect our focus to API security, with their universal accessibility and broad reach as they are becoming the most attractive targets for adversaries.

It's not just about protection against threats; it's also about resilience in the face of stress, system disruptions, and spikes in traffic beyond DDoS-directed traffic. API are the new perimeter. Disasters or rushes for service could overwhelm many points, so our APIs need to be the stalwart guards at the gate, unfaltering under pressure and tested for availability.

Perhaps most significantly, APIs will become the new control plane for security. They hold the promise of delivering fine-grained access controls, new interception points, new instrumentation points and a granular level of security that's unprecedented because of their ubiquity. We should be pushing for standards in this area, embedding security at the DNA level of every API.

But even before we reach that stage, we need to ensure our APIs are secure, even if that means some heavy lifting due to their heterogeneity. This means emphasizing the basics and not accruing security debt now, as we have with many other waves of technology (like IoT, for example). This requires adopting robust security measures, focusing on encryption, authorization, API security posture, run-time security and identity verification. It's about building a solid foundation, only then can we erect the walls of finer-grained controls.

As we traverse this complex supply fabric, we must keep in mind that the weave is only as strong as its weakest thread. Every API, every interaction, every data exchange plays a crucial role in overall security posture. The digital era beckons us to rethink our approach to security.

We are standing on the precipice of a new world, where API security shapes a new control plane, is the supply chain or fabric, and presents a threat landscape for the adversary to develop. We need to adopt the same least trust and ideally zero trust approach to API security that we are looking at for other frontiers in cyber security. As Einstein so eloquently put it, we must adapt our thinking to solve the problems of this new world. Let's heed his words as we usher in the future of API security.