The old mentality of building a moat around important assets and trusting anyone or anything that is already inside the castle perimeter has failed us. Attackers have developed many techniques to jump the moat and scale the castle walls to get at what they want. Thus, the new rallying cry is to implement Zero Trust–the notion that no entity – human or machine, inside or outside the perimeter – should be trusted unconditionally until authenticated, authorized, and continuously monitored for threats.
The global pandemic has really driven the need for Zero Trust as organizations turn to remote-first work strategies and total distributed teams. Workers (and their devices) are routinely located outside any remaining vestiges of a network perimeter and should be fully qualified before given access.
Looking beyond people, there’s another critical area that we must consider for a Zero Trust security model: APIs. A Zero Trust approach is relevant for both clients and servers.
API security is an essential part of any cybersecurity program inside any organization. It can be split into three main parts:
Zero Trust ideology should be applied to them separately. It means, in particular, that you should use threat prevention mechanisms even for authenticated and authorized API connections.
In other words, application security teams should enable threat prevention equally for authenticated clients, authorized API endpoints, and unauthenticated and unauthorized entities.
Let’s now look at API security from endpoints’ and clients’ origins point of view to check how the Zero Trust plays there.
To understand how to apply Zero Trust to API security, we have to split all the clients of protected APIs by the categories:
Now we can build the following matrix to help DevSecOps and application security teams understand Zero Trust for API security in a simplified form:
Internal API (service mesh sidecars, microservices, east-west) | External API (B2B services, CRM, ERP, SSO) | API customers (B2B, partners) | Frontend clients (ReactJS, Angular) | Mobile clients (iOS, Android apps) | |
Authentication | Custom | SSO | SSO | Custom | Custom |
Authorization | API gateway | Custom | Custom | Custom | Custom |
Threat prevention | Not available | Not available | Not available | Partly WAF | Partly WAF |
In the table above, we put an average case related to the typical SOC2-compliant B2B company with API-based products.
As you can see, there are a lot of gaps in threat prevention for internal and external APIs. The main reason is the complexity of parsing API data protocols.
Here are critical considerations for imposing Zero Trust on your APIs.
When you ask people “What is API security”, a lot of folks would mention API authentication. However, API security is actually a lot about API threat prevention. Yes, you can have mTLS between microservices and you should have. But you also need to be sure they are protected against relevant threats. It’s become even more important today, in the COVID-19 times, when a lot of services, once internal, all of a sudden become exposed to everyone to support WFH effort.