In order to provide organizations greater control and security for their digital footprints, Google LLC’s cloud division today announced a preview of Advanced API Security built on Apigee, the company’s application programming interface management platform.
Using this new product, organizations can more easily detect and fix API misconfigurations and thwart malicious bots.
More and more organizations are relying on data flowing between end-users and servers in order to power digital experiences and apps. Industries such as healthcare and financial services also increasingly use APIs to share data between businesses and customers, making them more vulnerable to potential cyberattacks.
“As APIs are becoming more intertwined with business practices, API security is really becoming the battleground for decreasing application and business risks,” said Frank Weigel, vice president of Google Cloud’s business application platform. “We really see it as a core sign of digital transformation and security going forward.”
As businesses scale their capabilities and add functionality to their platforms they often pile on more numerous APIs, explained Weigel. He said that this is one of the most cited causes of security issues because it also creates a larger “attack surface” for malicious parties and opens up more opportunities for misconfigurations to crop up.
It’s also very difficult to keep up with manual updates with securities policies for a large number of APIs at scale, Weigel added.
According to a report released by the Identity Theft Resource Center, 2021 was a big year for data breaches, up more than 68% over 2020. Data breaches led to the leaks of databases filled with usernames, passwords, emails and sometimes addresses or other sensitive user information. The APIs of healthcare and financial apps can have more serious exposure by revealing medical or banking information.
In order to address the challenges of security problems, Apigee’s Advanced API Security product has two parts that give information technology teams a chance to get ahead of the curve and take mitigation actions before they become a problem.
The first is an API scanner that checks the current API configurations that don’t conform to security standards and allow the team to adhere to best practices quickly. By running the API through the checkup process, the product supplies a “score” to the API to show how critical its potential misconfiguration is and the team can look at its components for recommendations on what policies need to be in place to bring it into compliance.
Keeping APIs configured properly is of tantamount importance for healthcare applications because they must comply with privacy regulations and often store sensitive medical information. In the medical industry, digital record portability is a common reason for the use of APIs, especially among clinics, hospitals and professionals, and a misconfigured API could lead to a user having private information revealed to unauthorized parties.
The second part of the new product can detect malicious bots by examining API traffic, comparing it to pre-configured rules garnered from historical Apigee usage. That gives Apigee users an early warning system when malicious bots are probing their APIs and looking for a way to exploit their system in an attempt to break the authentication or scrape information.
Bots are particularly common in the financial services sector thanks to the high-value data being processed. Even if bots are unable to break into a secured and well-built API, they can still slow down the interface with their probing. So having an early detection system for malicious attempts that can properly identify and block them — and let good traffic through — can provide a smoother experience for customers.
Weigel said that as more businesses shift to digital experiences, it’s their responsibility to handle security issues, especially APIs, and that Google will continue to invest in cloud API security tools to tackle those problems.
“We know that API usage and traffic volumes will continue to grow and sadly so will security breaches and, of course, the attempts to breach,” Weigel said.
He added that the Apigee team will focus on its own security processes to address the most common “pain points” in the industry right now, mitigating misconfigured APIs and malicious bots, with more features planned in the future.