Protocols are Passé. APIs are Key for Effective Zero Trust Implementation.

Written by Chandra Rajagopalan, Principal Software Engineer, Netskope.

A really short reminiscence of network and security protocols

From the 1970s to the 2000s, creating new protocols and enhancing the protocols was prevalent among networking and security experts. These protocols influenced the way the industry evolved. Many such protocols were developed, and some are still in use even today, albeit not so popularly. For example, Telnet, NetBIOS, FTP, and SMTP are all protocols that Generation X may not be aware of.

While the development of protocols was aimed at standardizing and making sure everyone spoke the same language, the process of developing protocols came with several problems. One of the main issues was the time to develop them and ensure the protocols stayed relevant with the perpetual technological advancements. It took time and effort to build consensus in developing the protocols, as it involved several participants from industry, government, and academia who had different priorities. This often led to compromises as well. Another important issue with the protocols was how they were interpreted and implemented by different people, which created interoperability issues, some subtle and some major.

A relevant example of the problems mentioned above was SMTP. It was first standardized in the early 80s. While the protocol became extremely popular, it came with several problems: lack of sender authentication, no encryption, etc. It relied on a trust-based model, assuming all the mail servers can be trusted and will deliver emails reliably. There were various extensions developed and standardized over time which led to interoperability issues, some of which exacerbated the problems.

The changed landscape of Zero Trust era

In the 2010s, as Zero Trust thinking gained traction, the number of new protocols developed gradually reduced. The astonishing pace of changes in networking and security, particularly the disappearance of the network perimeter along with the rapid growth of the cloud, forced the need for micro-segmentation and continuous verification, which are some of the basic tenets of Zero Trust.

APIs became popular as cloud and SaaS adoption became widespread. APIs made development, integration, and interoperability much more manageable than traditional protocol development.

APIs allow developers to break down complex systems by modularizing with each component exposing its own API. It lends itself for easy extension and foster innovation. Cloud vendors offered extensive APIs for managing the cloud resources, contributing to the popularity of APIs.

Zero Trust and APIs

The Zero Trust approach to security requires that all entities in the network, whether they are internal or external, are never implicitly trusted. Since access control decisions are made based on identity verification and on several contextual factors and not just on network location, the number of factors determining the decision has not only increased but has also become dynamic. This made APIs a natural fit role as APIs are flexible and adaptable.

Continuous Authentication and Authorization, which plays a crucial role in Zero Trust can be implemented using APIs. Enforcing fine-grained access control policies based on user role, permissions, device status, location, behavior, etc., can be achieved with APIs. Enhancing additional attributes is relatively easier and more flexible with APIs.

APIs can enforce data protection policies such as redacting specific data, preventing unauthorized access, and enabling encryption of data in transit, to name a few. APIs lend established ways to enforce rate limiting, which can help protect against malicious or abusive clients and also ensure fair use of resources.

Visibility is important when you try to implement Zero Trust in your environment, and you can achieve this by logging in parts of requests and responses from the APIs. These not only help you monitor your network, but can also come in handy should there be an unfortunate security incident.

Do APIs solve the issues encountered with protocols?

Let’s evaluate APIs against protocols for the issues with protocols we identified earlier. Interoperability, which was one of the biggest challenges with different implementations of protocols, is a hallmark of APIs since developing APIs does not need extensive collaboration with participants from differing views, as enterprises providing services can decide their APIs themselves. It’s easier and quicker to update when the need arises and secure them from vulnerabilities. The enterprises providing the APIs and the service have a business need to make sure the APIs serve the needs of their customers.

The API consumers can be provided with building blocks for integrating their services with the API. This paves the way for rapid development and integration. The developers integrating with the API and the service do not need to know the internals of the service implementation.

Now that we have good reasons to have APIs play a significant role in Zero Trust implementation, let us make sure we follow the best practices in the implementation of APIs. When using an API exposed by another entity, make sure you ask the right questions and validate them before you start integrating with them.