Data Loss Prevention in an API-Driven World

*article originally published by Sudeep Padiyar on Cybersecurity Insiders

Preventing data loss has become incredibly challenging in an API-driven world. Companies lockdown sensitive data internally with access controls, encryption, data classification and data loss prevention (DLP) platforms. They typically safeguard web applications with application security tooling or Web Application Firewalls (WAF). Cloud Security is often implemented with dedicated secure access service edge (SASE) architectures, including cloud access security brokers (CASBs).

However, sensitive data is transmitted freely across internal and external APIs, increasing the risk of accidental or malicious exposure of different sensitive data types. And hackers that exploit APIs don’t just steal sensitive data, they also gain access to systems, infrastructures, and other key surfaces, potentially causing massive operational downtime. Data loss at the API layer needs to be high on the list of priorities for security and privacy teams in addition to protecting sensitive data with SASE, CASB solutions and NextGen firewalls.

Leading analysts and research firms have sounded the alarm about growing data security risks via API. Gartner has predicted that APIs will be the top attack vector this year, and that by 2025, more than half of all data thefts from enterprise web applications will be due to unsecure APIs. The OWASP API Security Project ranks excessive data exposure as the third most important API security risk. And recent data breaches also serve to warn peers of these issues. A single API hack on T-Mobile resulted in the data exposure of 37 million customers. Meanwhile, a Twitter API hack resulted in the release of personal data for 235 million users. The cost to remediate these attacks will far outpace the investment it would have taken to secure these APIs from the start.

Protect the Business by Securing APIs

Most enterprises use thousands of APIs to share data with applications and partners, and provide a seamless user experience for their customers. A phenomenon known as API sprawl, makes it difficult to gain visibility and control over these connections, in addition, frequent updates create versioning and documentation issues that further complicate API security.

APIs are now the universal attack vector, and they’re also a uniform protection layer if secured properly. Enterprises that deploy API security platforms gain fit-for-purpose tools that bring holistic visibility, monitoring, management, and remediation tools to bear on securing APIs and reducing risks.

Only context-aware API security platforms can accurately inventory APIs and detect behavioral anomalies that outwit traditional security tools such as WAFs and traditional DLP platforms. As an example, a grad student’s efforts to scrape millions of Venmo users’ financial transactions appeared as normal API traffic. Similarly, Coinbase’s improper API validation process enabled users to make unlimited cryptocurrency trades between accounts without being detected.

API security solutions should provide discovery and security posture management, threat protection, and threat management, enabling organizations to minimize risks and maximize the value that APIs provide. Tracking sensitive data usage across authenticated and unauthenticated APIs, and ensuring compliance requirements are met, has become an important aspect for Infosec teams.

Download the Solutions Brief


Specifically, these capabilities prevent sensitive data exfiltration by:

  • Discovering all APIs: Leading API security platforms automatically and continuously discover all APIs, building a living inventory of all internal, private, public, externally exposed, rogue, shadow, partner, and third-party APIs. They catalog every API and its associated data and sensitive data flows, even as an enterprise’s environment changes constantly.
  • Improving API security posture management: Building on visibility gains, a next-generation API security platform creates a security risk profile for every API. Teams can use these insights to determine which APIs are most vulnerable to attacks and abuse, so that they can remediate them first.These platforms further reduce risks by identifying API endpoints that handle sensitive data but lack appropriate authentication or zero-trust API access policies. Teams can use this information to prioritize which APIs need greater security controls to protect the enterprise systems and data from threats and abuse.
  • Real-time threat protection: With detailed and contextual knowledge, leading API security platforms are well-equipped to automatically detect and remediate API and business logic use attacks, as well as API abuse, fraud, and sensitive data exfiltration from production environments.These innovative platforms establish a baseline of normal and abnormal behavior, quickly detecting any anomalies that could pose a security risk, such as a flood of incoming API calls from a foreign internet protocol (IP) address. They also correlate suspected incidents across multiple dimensions, such as endpoint, network, and application and API behavior, providing security teams with a holistic view of how attacks are distributed, organized, and progress over time. By doing so, leading API security platforms can create a unique fingerprint for each user that can be used to improve anomaly detection and fraud ring clustering.
  • Data Loss Prevention: Data loss prevention software and tools monitor and control endpoint activities, filter data streams at API layer, and monitor data in the cloud to protect data at rest, in motion, and in use. API DLP needs to provide reporting to meet compliance and auditing requirements and identify areas of weakness and anomalies for forensics and incident response. This means all sensitive data transfer at the API layer needs to be monitored on a continuous basis to detect excessive data exposure based on multiple attributes like volume of sensitive data, source of traffic – BOT, Residential proxies, Geo location, connection types, IP reputation, etc.
  • Enhancing threat management: Modern API security platforms provide a rich set of security and application flow analytics that enable teams to reveal potentially unknown API threats and visualize user behavior analytics to uncover fraud and abuse. These tools and data empower teams, from security operations professionals, to incident responders, threat hunters, and red and blue teams, to improve processes. These individuals gain insights they can use to optimize APIs and security behaviors to prevent data breaches, ransomware attacks, API abuse, and data exfiltration.

The Bottom Line

The best time to begin securing APIs is today, before malicious individuals or groups gain control over these vital connections and use them to harm your business. Only modern API security platforms can provide holistic visibility and tools to monitor and mitigate these risks in real-time. These solutions enable you to discover all APIs, improve security posture management, protect against threats, protect your critical data, enhance threat management, and build a culture of continuous improvement.

It is vital for any business to continue fueling business growth by securely deploying and managing APIs with a fit-for-purpose API security platform, while protecting your business and customers from debilitating attacks and data theft.


About Traceable

Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, book a demo with a security expert.