Why the Pentagon Needs to Factor in API Security 
to Establish a True Zero Trust Strategy


President Biden’s Executive Order on Cyber Security, issued in 2021, provides a strong vote of confidence for Zero Trust security models. The order requires that federal agencies rapidly develop plans to implement Zero Trust architectures, evaluate the sensitivity of their unclassified data holdings, and enable multi-factor authentication and data encryption, among other mandates. In response, the US Department of Defense (DoD) has released its Zero Trust strategy and roadmap.

The plan includes more than 100 activities and new capabilities aligned against Zero Trust’s seven pillars, including devices, users, data, networks and environments, applications and workloads, automation and orchestration, and visibility and analytics. And demonstrating that the DoD has its pulse on emerging industry vulnerabilities, API security is considered in many of the key security activities the agency plans to undertake.

The enduring success of Zero Trust is due to its flexibility, focus, and ability to deliver results. Zero Trust architectures use multiple security layers and technologies, such as network and identity access management and user, application, and workload security to protect enterprise assets. These models “trust no one,” assuming adversaries are already present or able to access different parts of the application and infrastructure stack. As a result, systems continuously verify users, devices, and access attempts. 

The model works because it provides a simple and repeatable methodology teams can use to continuously enhance security. IT teams discover and prioritize assets, map and verify transactions, develop Zero Trust standards and designs, implement new systems, and report on and maintain them, over and over.

Using this approach, Zero Trust architectures enforce security policies across networks, clouds, and endpoints, simplifying management processes and standardizing access and security across use cases.

By doing so, Zero Trust technologies segment networks to prevent attackers’ lateral movement and protect business-critical data, applications, and infrastructure from unauthorized access and usage.


APIs Are the New Perimeter of Zero Trust Security 

However, to date, APIs have been largely neglected by Zero Trust models. In addition, digital transformation demands and DevSecOps processes at organizations have created new gaps and vulnerabilities attackers can exploit. 

The DoD’s heightened focus on API security shines a light on the need for organizations to apply a Zero Trust lens to these problems. A 2021 Dark Reading survey found that 41 percent of organizations treat APIs the same as web applications, only 23 percent have a dedicated process for evaluating API security, and an astonishing 18 percent don’t perform security testing on APIs at all. Clearly, there is work to be done to strengthen API security. 

Many security solutions such as Web Application Firewalls (WAFs) only scan the edge. However, organizations are increasingly pushing technology and services past the perimeter. IT teams are using or developing cloud- and microservices-based applications and leveraging APIs to connect to partners, customers, and other third parties. APIs connect applications and their various components and also communicate between users, non-person entities (NPEs), and other applications. It’s not an overstatement to say that APIs are everywhere, connecting almost everything.

Expanding Zero Trust security concepts to the API interface and implementation layers ensures that communication services get the same protection afforded to other resources.


Enable Zero Trust API Access to Improve Enterprise and Data Security 

The good news is that
94 percent of CISOs are planning to implement Zero Trust strategies, although only 20 percent have actually done so. CISOs are developing Zero Trust models around an array of frameworks including CISA (35 percent), NIST (22 percent), IEEE (17 percent), Forrester (16 percent), CSA (seven percent), and others. 

In many frameworks, API security is yet to be explicitly addressed. For example, two of the six tenets of the NIST framework (NIST SP 200-87) discuss securing communication and using dynamic policies to grant resource access. We hope that in future versions of NIST and other frameworks, API security is explicitly discussed and firm guidance is given, so that organizations can develop and implement stronger security controls to protect these vital resources. 

To this end, the DoD’s Zero Trust strategy, roadmap, and 100 security activities offer insight and help to other organizations seeking to evolve their API security program at pace. 



About Traceable

Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire development lifecycle. Visual depictions provide insight into user and API behaviors to understand anomalies and block API attacks, enabling organizations to be more secure and resilient. Learn more at traceable.ai.