API has become the biggest risk exposure in data security. How to win the “data protection war” in the digital age?

Nowadays, data has become an emerging production factor and a basic and strategic resource for the country. The resulting data security needs have become increasingly prominent. Since the beginning of 2021, the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and other departments have intensively introduced relevant regulatory measures on data security, network information security and other areas involving national security, weaving two big networks of "data security" and "network security" from top to bottom.

On July 10, the Cybersecurity Review Measures (Draft for Comments) were publicly solicited for comments; on September 1 this year, the Data Security Law of the People's Republic of China will come into effect... Against this background, the demands of the state and enterprises for data protection and security construction have been raised to a new level. As an important channel connecting data and applications, API is becoming a bottle opener for attackers to pry open the data "honeypot".

API has become the biggest risk exposure in data security. How to win the “data protection war” in the digital age?

In the digital age, both Internet business innovation and traditional enterprise digital transformation have promoted the API economy. It can be said that API is the key technology for the comprehensive digitalization of the traditional industry value chain. It connects not only systems and data, but also internal functional departments, customers and partners of the enterprise, and even the entire business ecosystem. However, the severe security challenges currently faced by API are easily overlooked by managers, and there is no past experience in dealing with them.

From the API 1.0 era, which was only used for internal service calls, to the API 2.0 era of service-oriented architecture, and then to the API 3.0 era of open platforms and cloud-native microservices, APIs have gradually shifted from restrictive local interfaces to greater and broader openness. This has brought many benefits to developers, such as public access, standardization, efficiency, and ease of use, but at the same time, its own risk exposure has further expanded. Gartner predicted in its report "How to Build an Effective API Security Strategy" that "by 2022, API abuse will become the most common attack vector leading to data breaches in enterprise web applications."

In recent years, more and more attackers are using APIs to carry out automated "efficient attacks". Data security incidents caused by attacks exploiting API vulnerabilities or security management vulnerabilities have seriously damaged the rights and interests of related companies and users, and have gradually attracted attention from all parties. For example: In April 2021, 500 million user data on the Facebook platform was leaked, involving information including user nicknames, email addresses, phone numbers, home addresses, etc., which was later determined to be a business interface leak. Two months later, LinkedIn, another well-known social platform, had more than 700 million user data sold on the dark web, involving users' full names, genders, emails, phone numbers, jobs and other related personal information. It is reported that some data was also obtained through API leaks. In 2020, Weibo's 350 million data leaks came from the business logic API of the terminal APP being called more than 4 billion times by illegal traffic. In 2020, 91 million user information of Tokopedia, Indonesia's largest e-commerce website, was leaked, involving product information and order information that users had browsed, which was also a business interface leak. Since API can both connect services and transmit data, API security protection is very important and very sensitive.

Overall, the risks faced by APIs include: credential loss, unauthorized access, data tampering, illegal crawling, data leakage and many other security risks. Evaluating from the perspective of API security access process, the protection measures implemented should include effective identity authentication, controllable access authorization, screening of specific data return results, access abnormal behavior detection and response, etc. In most business scenarios, APIs do not deploy good protection mechanisms when providing services to the outside world. The reason for this is that, on the one hand, due to the rapid iteration of business, security managers cannot fully grasp the use of APIs, and there is a gap between business and security; on the other hand, the cost of security transformation of existing APIs is huge. In the future, the role of APIs in digital transformation will become increasingly important, so effective solutions are urgently needed to protect open and shared core data assets.

However, API security management is not easy. The problem is that although most security practitioners recommend hiding resources and reducing exposure and attack surfaces, APIs that are successfully deployed in business tend to make resources more open and available. And with the advent of the cloud-native era, APIs have become a must for service delivery under the core architecture of microservices. The security dilemma encountered by APIs is actually a common problem faced by modern network security. For security teams, they cannot make the system closed in order to protect the business, and they must keep the API risk exposure within a controllable range. This requires formulating an API risk management strategy that balances business and security, and building a functional and flexible security management and control platform.

Security management platform eliminates risks invisibly

Although API risk management is not easy, there are still traces to follow.

Ruishu Information, a domestic innovative security company, believes that API control should be internalized and externalized. You should know the situation internally and integrate knowledge and action externally.

API security protection is inseparable from the development and management of APIs at the business level. Generally speaking, API security development requires developers to have knowledge and awareness of API security development and to develop and deploy APIs in accordance with security development specifications. For example, using basic username and password authentication, or using API keys or token strings for security protection, or verifying user identity information and basic information based on the OAuth framework.

Not only at the development level, in fact, API security control is a process that requires participation and protection in the entire stage from development, application, operation, and maintenance, which is different from but also similar to traditional network protection. In this context, Ruishu Information innovatively launched the API security control platform - API BotDefender, which is committed to helping enterprises to know and control API security risks.

Different from many security vendors that simply enter the API security gateway, Ruishu Information fully integrates attack defense capabilities with AI intelligent data analysis capabilities in terms of technology, and thus launches API BotDefender with API perception, discovery, monitoring, and protection capabilities. It is an innovative solution that combines the advantages of the above two API security solutions. The platform includes four major modules: API asset management, attack protection, sensitive data control, and access behavior control, providing a complete security control solution for API interfaces.

In the asset management module, unified management of API assets is achieved. API asset management automatically discovers API assets of protected sites based on data modeling, sorts, analyzes, and launches API assets, helping customers achieve lifecycle management of API assets.

The attack protection module uses an intelligent threat detection engine that combines intelligent rule matching and behavior analysis to continuously monitor and analyze traffic behavior to effectively detect threat attacks. The intelligent threat detection engine collects data during the user's interaction with the application and uses statistical models to determine anomalies in HTTP requests. Once an anomaly is identified, the intelligent engine uses multiple threat models obtained from machine learning to determine abnormal attacks.

The sensitive data control module will identify sensitive data in API transmission, and can perform desensitization or real-time interception on sensitive data to prevent sensitive data leakage.

The access behavior control module will analyze the access behavior of the API interface, establish API access baselines and API threat modeling through multiple dimensions, discover abnormal access behavior, and avoid business losses caused by malicious access and interface abuse.

The complete module functions enable API BotDefender to achieve full-process API security threat protection from the API access client to the API server. API BotDefender can not only quickly and automatically discover APIs, and give clear identification for the discovered APIs, but also display a clear API list, so that the access status of the API interface is clear at a glance. At the same time, by accurately building API portraits, you can quickly preview the API status of each business, including usage, abnormal situations, access sources, etc., and you can perform dynamic response protection based on the results of behavioral analysis or specified conditions, increasing the difficulty of attack methods such as reverse detection or machine learning analysis.

An excellent security management platform should not only have a good fit with the business and strong security management capabilities, but also be easy to deploy and maintain. In terms of deployment methods, API BotDefender is very flexible, supporting serial and bypass mirroring methods, as well as software, hardware and cloud modes, which can greatly reduce deployment, management and maintenance costs. At the same time, it takes up less resources, does not affect the normal operation of the server, and can achieve application-unaware deployment.

Nowadays, API security has become a security issue that enterprises need to pay attention to at all times. API services that lack good protection strategies will not only threaten the user experience and personal privacy, but also expose enterprises to unknown security risks. In order to improve API security, developers need to build and design API security well during the design and development phase. For managers, they can use security tools such as API security management and control platforms to better detect and protect against unknown risks, so as to be prepared and prevent problems before they occur.