USE CASE
Protecting APIs and Cloud Native Applications
Cloud native applications are composed of microservices-based applications that are connected via APIs and managed by an agile, more iterative development methodology, commonly referred to as DevOps. The adoption of a cloud-native development approach provides organizations with the ability to react more quickly to competitive and market demands. IDC predicts that by next year, more than 500 million digital apps and services will be developed and deployed using a cloud-native approach.
Core to the notion of cloud-native is the use of microservices, without which organizations would not be able to reap the benefits of reduced resource consumption driven by greater elasticity and scalability. From that perspective, the growth in microservices deployment continues unabated, across all deployment locations – not just the cloud. A survey done by The Software House found that 34% of the 600+ organizations queried were using microservices in their data centers, second only to AWS (49%) in terms of deployment locations with Azure and GCP both at 17%.
Regardless of whether you are deploying a true cloud-native application, or you are deploying a microservices-based application in your data center, there is little doubt that APIs will play a key role in delivering the desired functionality. APIs act as the connective tissue that link application components together, allowing developers to develop and release new features and functionality quickly and easily. The same characteristics of speed, flexibility found in APIs that developers love are also leveraged by attackers, who use their developer skills for malicious purposes with 80% or 1.8 billion of the blocked attacks being API-based. APIs simplify the execution of hard to prevent automated attacks and business logic abuse.
By the Numbers
Organizations projecting that 50% of their applications will run on microservices over next 24 months.
Source
While 74% of organizations surveyed use DevOps, only 47% have incorporated security controls.
Source
Organizations that plan to increase the use of cloud-native techniques for customer facing apps.
Source
Cloud-Native API Protection Is a Business Problem
In an IBM report on the state of microservices, 53% of the respondents stated that security was a top challenge to adoption. Interestingly, the same survey showed that better security was the second most common business benefit at 29% due in part to the immutable nature that containers and microservices environments enable. The slightly contradictory views highlight the challenges that cloud-native applications and microservices environments present to development and security teams.
For cloud-native applications, a new category of security vendors has emerged, which Gartner has named CNAPP (Cloud-native Application Protection Platform) that aims to simplify the underlying complexity of existing security products that are deployed in the cloud. This new category of CNAPP vendors combines the functionality of existing products such as Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP) and Cloud Infrastructure Entitlement Management (CIEM) into one solution. Most CNAPPs connect via out of band APIs into each of the cloud infrastructure components, collecting critical information on configurations, artifacts, software version, containers, CI/CD pipelines and more.
While CNAPP is associated with security products for cloud-native applications, when it comes to APIs, organizations are faced with specifically protecting APIs from bad actors who target APIs directly. This can involve finding authentication coding errors that allow escalated privileges and move east-west within the respective environment. A bad actor may find an API coded without following sensitive data masking and encryption best practices that may cause a compliance violation along with data theft. Just as an API in a traditional, monolithic application can be targeted by an automated attack, so to can a cloud-native or microservices-based application. Hidden behind the attacks themselves, and the direct impact on security lies a larger set of business impacts, that include:
Infrastructure
Whether it’s an automated attack on a perfectly coded API, or a volumetric attack against an API coded without resource or rate limiting (OWASP API#4), the impact on infrastructure teams can cause costs to skyrocket. Worse yet, the web site and mobile app can become non-responsive, resulting in (real) user dissatisfaction.
Data Governance and Compliance
With APIs carrying all the information necessary to execute a transaction, these teams bear the brunt of an API using sensitive data improperly or an authentication error that results in data theft. Industry research shows that the cost of a PCI violation averages $3.86M, resulting in a significant hit to the bottom line.
Development Teams
The attack may have been on a shadow API, or one that did not adhere to specification definitions, the dev team will be impacted by the effort required to find the shadow API, or fix, test, and redeploy the API that is non-conformant. Either way, they are taken away from their tasks at hand.
Marketing, Sales, eCommerce
Depending on the type of attack, these groups may be presented with inflated marketing statistics which turn into poor or misleading sales program decisions, missed revenue projections and damage to vendor relationships.
Customer Satisfaction, PR, Brand
Accenture research has shown that 57% of consumers spend more on brands to which they are loyal, generating 12%-18% incremental revenue growth per year, motivating financial services organizations to be singularly focused on customer retention. A bad experience due to a slow or unavailable website, or a compromised account drives customers elsewhere, resulting in a 5x increase in costs of acquiring a new customer.
Limitations of Traditional Cloud-native Defenses
Today’s security teams simply lack the visibility and defense capabilities they need to reduce the risks introduced by their organizations explosive use of APIs. Many organizations believe that compliance with PCI or SOC 2 and a “shift-left, DevOps” approach is sufficient to protect APIs. They tend to fall short in being able to find and protect against advanced threats and vulnerability exploits. Similar challenges are applicable when microservices and container-based applications are deployed in the data center. Today’s security teams simply lack the visibility and defense capabilities they need to protect the ever-growing risk from APIs and other application connections. Some organizations have adopted a belief that compliance with PCI or SOC 2 guidelines combined with a shift-left, DevOps mentality supported by existing security technologies is sufficient to protect APIs. The problem with these strategies is that they don’t have a way to “know the unknown”, meaning they aren’t able to look for all APIs and API vulnerabilities without knowing where to look. Even if all APIs are discovered and “known”, attackers can still leverage seemingly legitimate transactions in an attempt to steal data or commit fraud.
The Journey to Unified API Protection
Cequence Security believes in taking a holistic approach to defending against API-related data risk with a market-defining Unified API Protection solution that goes beyond API security approaches that may focus solely on one aspect of the API protection journey. Achieving true peace of mind for comprehensive API attack protection means traveling through six distinct steps associated with the Unified API Protection solution:
Discovery: Viewing an organization’s API attack surface from a threat actor perspective to know the unknown.
Inventory: Performing a comprehensive multi-cloud API inventory, including all existing APIs and connections.
Testing: Integrating API protection into development, which shifts API security left within the organization, so risky code doesn’t go live.
Compliance: Keeping APIs in compliance with specifications, standards and regulations such as OWASP and ensuring ongoing API governance.
Detection: Continuous scanning for threats, including subtle business logic abuse, fraud, and automated malicious activity from bots.
Prevention: Employing countermeasures such as alerts, real-time blocking, deception, without the need for added third-party data security tools.
Unified API Protection is different from fragmented or incomplete API security offerings because it’s a methodology designed to account for multiple types of risk, across every phase of the API protection lifecycle.
Why Cequence?
With the Cequence Unified API Protection solution, customers can continue to reap the competitive and business advantages of ubiquitous API connectivity. The Cequence solution results in attack futility, failure, and fatigue for even the most relentless of attackers. It significantly improves visibility and protection while reducing cost, minimizing fraud, business abuse, data losses and non-compliance.
