How APIs are shaping zero trust, and vice versa

Check out all the on-demand sessions from the Intelligent Security Summit here.

Two things are true in the cybersecurity space.

First: Zero trust has become one of the most talked about and effective frameworks for digital security. Second: the rampant use of APIs and the vulnerabilities they pose has made it harder than ever for companies to protect their data and assets.

While it may feel like the solution lies in applying zero trust practices to APIs, it’s not as simple as that. That’s because securing APIs offers unique challenges: They’re a part of a constantly changing landscape, attract low-and-slow attacks uniquely designed for API and make it difficult to apply shift-left tactics that embed security at the development stage.

As companies of all sizes continue to leverage APIs, the cybersecurity space has reached a critical junction. API security needs to account for zero trust, and zero trust practices need to be revisited with APIs in mind. But what does that look like in practice?


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

The threat of APIs

Application programming interfaces, or APIs, have become the building blocks for modern applications. They fulfill the critical role of connecting the dots between data and services, enabling critical business operations and enhancing product capabilities. It’s no surprise that, per a recent study, 26% of businesses use at least twice as many APIs as they did a year ago.

>>Don’t miss our special issue: The CIO agenda: The 2023 roadmap for IT leaders.<<

However, all the communication and data sharing functionalities that make APIs such critical assets are also what make them prime targets for attackers. Since APIs have become so popular, they have become an increasingly important attack vector for cybercriminals. In fact, the average number of API attacks grew by 681% in the last year.

Once they compromise an API, attackers can do anything — from impacting the user experience to stealing sensitive data and holding it ransom.

API-driven apps: The need for zero trust

As a model for security, zero trust supports the notion of eliminating trust from a system to secure it. This principle means that regardless of who is logging into the system — or where and what device they’re logging in from — no user can be trusted until they have properly authenticated their identity. Plus, there should also be robust visibility into all access activity taking place across critical data, assets, applications, and services.

The thing is, when it comes to API-driven applications, there can be hundreds or thousands of microservices. This reality makes it particularly difficult for security teams to have visibility into how each microservice is being accessed and by whom. And since many API security strategies take a blanket approach to securing all these elements, without accounting for the nuances between each API, there can be a lot of unseen vulnerabilities ripe for the picking.

The shift that comes with a zero trust approach is twofold: API security is managed in a much more micro segmented way, and APIs are equipped with least privileged access. This way, enterprises can reduce the number of rogue and lost APIs that are a common challenge today.

Where an API meets a zero trust model

While leveraging a zero trust model in APIs may require some creative thinking and upfront efforts to get right, there are a few ways to bring these two elements together. Consider these three areas, for instance.


When it comes to APIs, users should be authenticated and authorized. Their identity should be verified, and they should have permission (based on their role or level of access) to access that particular API. Every single user should be considered a potential threat.

That said, many API attacks happen via an authenticated user, as attackers use social engineering to get access to individual accounts. As such, authentication mechanisms should be complex and continuous — and paired with robust monitoring systems — to stop compromised accounts in their tracks.

When it comes to authorization, it’s important to remember that not everyone should have access to all APIs. Organizations should consider using an access control framework to have more granular control over who can access a given API.


In today’s tech-enabled companies, most of the data available within the organization is accessible via APIs — but there’s not always clear visibility into which APIs have access and the level of access users have through each API. Plus, it’s currently common practice to send more data than is actually needed and to write back data an object at a time, instead of selectively. As such, following the zero trust tradition of least privilege access, there needs to be clear parameters around what data is shared through each API. Plus, security teams need policies and measures in place to protect sensitive data both at rest and in motion, and to monitor where it is being sent.


Having clear visibility into all access activities is a vital component of a zero Ttust framework — and it’s particularly important with APIs. Attackers have evolved to use business logic attacks that exploit legitimate functions to commit nefarious activities. This means that security teams need to be equipped with automated monitoring systems that are set up to identify minute shifts in user behavior.

Within a given API, this will also require collecting telemetry or meta-data that provides a clear ubiquitous view of the API, how it behaves and what its business logic looks like. With the baseline set, it’s easier to identify any shifts in the landscape that might point to an attack.

APIs have fast become the largest attack vector in businesses — and there’s still a lot to do to ensure that API security strategies cover all the bases. By making zero trust more granular, and applying it across every element in the API ecosystem, enterprises stand a better chance to avoid an attack and keep their brands out of the cybersecurity news cycle.

Ali Cameron is a content marketer specializing in cybersecurity and B2B SaaS.


Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read More From DataDecisionMakers