Almost Half of Enterprises Experience Substantial API Security and Privacy Issues
February 28, 2022

Jason Needham
Cloudentity

Application programming interfaces (APIs) are the underpinnings of digital transformation and represent 83% of all web traffic. Serving as the fabric of modern service delivery and app development, the logic and sensitive data APIs can expose have made them a high-value target for cybercriminals. In fact, the amount of API cyberattacks has spiked in the last year. According to Enterprise Strategy Group (ESG) analysts, "attackers are setting their sights on unprotected APIs, and API attacks will see a banner year in 2022."

To study common API issues and how IT practitioners are facing these challenges, Cloudentity conducted its 2021 State of API Security, Privacy and Governance Survey with independent research firm Pulse QA. The report highlights how enterprises are advancing API-first programs in their organization and reveals key issues, drivers, maturity, investments and benefits. It surveys 300 technology decision-makers and practitioners responsible for API management and security in large organizations across industries such as financial services, healthcare, retail, high tech and consumer packaged goods (CPG).

The findings of the study revealed that in just the last 12 months, a staggering 44% of enterprises have experienced substantial API security issues concerning privacy, data leakage and object property exposure. Given this significant problem, let's take a closer look at the other key findings of the survey and discuss how enterprises can take better control of their API security to improve data governance and privacy practices.

1. Only 2% of enterprise IT practitioners feel completely confident in their organization's ability to reduce API security issues such as unauthorized access, data privacy, compliance risk and security threats.

This finding is surprising, given the prevalence of API attacks in 2021 alone. In addition, Gartner predicts that by 2022, API attacks will become the most frequent attack vector, causing data breaches for enterprise web applications. Security teams and IT professionals must be aware of the added risk APIs bring due to the widened attack surface when exchanging sensitive data across APIs and learn how to mitigate this risk. The API security survey also measured the top five contributors to API identity and authorization risk. The top five were identified by IT practitioners as component-driven development complexity, difficulty to diagnose issues and lack of data lineage, and inconsistent security policy management and enforcement controls.

To secure every API, enterprises should implement solutions that provide fine-grained authorization with the intelligence to understand the specific conditions and parameters in which data can be shared. Modern authorization technologies and techniques can securely verify both user and service identity while mitigating inconsistencies and errors associated with traditional identity and access management (IAM) solutions. A Zero Trust approach is also critical to determine the "who, what, where, when and why” of each transaction and to define each policy and user permissions based on their context.

2. The vast majority, 97%, of enterprises experienced delays in releasing new apps and service enhancements due to identity and authorization issues with APIs and services.

In addition to the security concerns involved, delays in releasing new apps and services can hurt a company's revenue when time-to-market goals are not met. To overcome these delays, many enterprises are adopting pre-built solutions to automate application authorization and consent, which speeds up deployments and time-to-market for new services.

With modern application authorization and consent, enterprises have increased visibility and control over where API data is shared and how it flows between APIs and distributed services, whether it is on-premise or in the cloud. In turn, this improves the organization's development agility, mitigates risk and enables faster delivery of new applications and enhancements.

3. Looking ahead, 93% of organizations plan to increase budget and resources applied to secure API development and security programs, and the majority (64%) plan an increase as much as 15%.

Enterprise IT practitioners' top motivators for investing in API security and governance initiatives are reducing human error in manual coding, preventing data leakage of sensitive information, compliance, data privacy and threat prevention. The top five API security initiatives include extending authentication and authorization controls down to APIs and microservices, implementing Zero Trust controls, invoking declarative authorization (policy as code), implementing micro-segmentation, and facilitating API discovery, classification and inventory.

In addition, the survey showed that the financial services industry intends to spend 15% more budget on API security than other sectors, with compliance and privacy priorities driving them to make larger investments.

Planning API Security Strategies for 2022

Two-thirds of cloud breaches can be attributed to misconfigured APIs, so it's clear that this is an issue that IT and security teams can no longer afford to overlook. Nevertheless, APIs are essential for driving new digital business revenue growth for enterprises as they extend data to partners and customers. Organizations need to improve their API access controls to govern how information is shared, as well as scale policy enforcement across an expanding set of data endpoints. The requirements for managing API access are getting stricter and more complex with regulation and user data privacy requirements, so now, customers have increased control of how their data is being shared with each third party.

Progressing API security is paramount to ensure the integrity, management and protection of internal and external-facing APIs and service pathways. As part of API-first programs, developers, IT practitioners and security teams are endeavoring to modernize their applications and protect each and every API transaction, including those between the services that they deliver. This means a Zero Trust approach for API access, which provides a critical layer of protection for APIs. This is critical regardless of where data is being shared, whether it's to another application service, a partner, a customer, or a remote IoT device. The goal is every data request needs to be authorized and auditable in real-time.

Jason Needham is CEO of Cloudentity
Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.