Not all organizations have an API security strategy in place. Adopting a Zero Trust model for API security is a way to protect APIs and reduce the likelihood of them being attacked.

APIs are a critical link in technological interactions, enabling not only connections between modern applications but also a way to work with legacy infrastructure. However, this connective fabric is a prime target for attacks. Content delivery network provider Akamai reported a 167% increase in web application attacks between 2021 and 2022, and Gartner predicted that APIs will become the primary attack vector for web applications by 2023.

One way to mitigate API attacks is to implement Zero Trust to secure APIs. TheZero Trust modelassumes that users and devices are untrusted by default. Continuous authentication and authorization then verify whether a device or user remains trustworthy. Even in such cases, only minimal access is granted for a limited period of time.

Here are four ways to use the Zero Trust strategy to maintain API security.

1. API Security: Inventory, Assessment, and Remediation of APIs

 Zero Trust requires an understanding of the existing attack surface. Therefore, the first step in securing APIs is to discover and inventory all APIs in use, assess them for continued use as well as for potential risks and vulnerabilities, and address any identified issues, if necessary.

API discovery tools help identify and assess all APIs within the IT infrastructure, whether they are publicly accessible, internal, or connected to legacy applications. These tools can also identify functional APIs connected to applications that have been decommissioned.

After completing the discovery and inventory phases, determine whether the relevant APIs should continue to be used, assess their security posture, and decide how to secure them going forward. Next, patch any vulnerable APIs or disable those that are no longer needed.

2. API Security: Assessing API Data Access and Enforcing Policies

Once the inventory has been compiled, document and manage the data that APIs have access to. Use tools such as cloud-based database management software to gain insight into the data that APIs are currently accessing. Reassign or restrict API access rights as needed through access control mechanisms within the database.

Create and apply Zero Trust policies for APIs. For example, use data security policies to control access to data. In a policy, specify which users and roles can access different types of data, when they can access it, and where they can access it. Use this information to ensure that only active and secure APIs access the data they are authorized to access within the infrastructure.

In addition, consider investigating further the data accessed by the disabled APIs, or deleting them to mitigate risks.

3. API Authentication and Authorization

Authentication and authorization are key principles for implementing the Zero Trust model.

Consider how users and devices can interact with APIs. Treat each API as a resource and require users and devices to authenticate and be authorized before granting access.

API access should utilize granular Zero Trust access policies, such as the principle of least privilege. To authenticate API traffic, implement standards such as OpenID and OAuth 2.0. Additional authentication methods to consider include API keys, HTTP authentication, and JSON Web Tokens. The best API authentication method varies depending on the specific API and its use cases. For example, API keys are often used for simpler API requests and are not as secure as OAuth or JSON Web Tokens.

4. API Rate Limiting

Implement API rate limiting to help prevent attacks against APIs, such as distributed denial-of-service (DDoS) attacks. Malicious attackers use DDoS attacks to overwhelm API services with an overload of API calls. More sophisticated DDoS attacks use bots to make API calls that are more CPU- or memory-intensive in order to degrade services.

More specifically, brute-force rate limiting restricts the number of API calls per minute or per hour using a predefined upper limit—anything exceeding this limit is automatically rejected. A more sophisticated form of rate limiting restricts API calls based on the day, time, geolocation, or frequency of use.

For additional API protection, implement other API security best practices, such as encrypting requests and responses, registering APIs in an API registry, and securing API keys.