Risky Identities: APIdentities

November 11, 2021
by Paul Roberts

Attacks on APIs are on the rise. Organizations need to worry about the risk posed by API-linked identities within their environments.

In our previous Risky Identities posts, we have talked about the threats posed to your organization by some of the “usual suspects,” namely: orphaned accounts and accounts linked to third parties and contractors. But there’s still another type of risky identity you need to worry about – and it’s one that is proliferating within corporate environments thanks to digital transformation initiatives: identities linked to Application Program Interfaces, or APIs.

API risk is growing

You have probably heard- or read something about cyber risk and APIs. They’re a popular topic. After all, APIs are critical elements that enable everything from mobile applications to cloud based applications to smart Internet of Things ecosystems. Their increasing use both shifts and expands the attack surface for organizations. According to Gartner, by this year the vast majority (90%) of web-enabled applications will have more surface area for attack from exposed APIs rather than from user interface (UI) elements – the traditional focus of web application attackers. That’s one of the reasons that OWASP has supplemented its “Top 10 List” of Web application vulnerabilities with a Top 10 List of API related risks

Many of those API risks are similar to the kinds of risks that web applications pose. They include injection flaws like SQL injection and command injection. One of the biggest, but least talked-about risks posed to organizations by APIs is a failure to properly limit access to data, or to surreptitiously allow low-privilege users to elevate their privileges by way of an API. If not tracked closely, API-linked accounts can be abused by malicious actors to siphon vast quantities of data from your environment, or give access to malicious actors. 

Red flags in healthcare, finance

A recent example of this comes via work done by researcher Alissa Knight on APIs linked to fast healthcare interoperability resources (FHIR). As part of her research, Knight analyzed three production FHIR APIs that serve an ecosystem of 48 apps and aggregated electronic health record (EHR) data from 25,000 providers and payers. She found that 100% of FHIR APIs tested allowed API access to other patient’s health data using one patient’s credentials. In fact, a single patient login account provided access to 4 million patient and clinician records. 

And healthcare is not the only sector feeling the pinch of API attacks. A report by security firm F5 found that API attacks are concentrated in the financial services sector, where around 6% of cyber incidents identified by F5 between 2018 and 2020 involved attacks on APIs. And the pace of those attacks is increasing. In fact, more than half of the reported API security incidents happened in 2020 alone, F5 reported. 

These attacks often stem from flaws in the design of the API itself. For example, so-called “broken function level authorization” happens when APIs allow low-privileged users to access administrative level functions within the API without first authenticating. Often, these attacks can be carried out simply by understanding the function of the API and, say, manipulating URLs to access hidden administrative features. 

Lack of entitlements monitoring

In other cases, breaches happen because organizations fail to adequately monitor access to data that is requested by APIs or to enforce best practices for application developers and other third parties (e.g. data aggregators)  that consume that data. For example, Knight’s study of FHIR APIs found that half of clinical data aggregators did not implement database segmentation. That allowed anyone with API-based access to a database via one application to access patient records linked to other applications developed for other providers. Such lax security can result in damaging breaches that affect your customers, staff and reputation. 

The ability of your organization to enforce best practices on third parties and downstream partners is limited. What you can do, however, is to make sure your own house is in order by limiting the reach of APIs used within your organization and closely monitoring any identities linked to those APIs. For example, service accounts linked to APIs should have limited access to data. Any permissions associated with these accounts should track closely to the desired function of the API. Furthermore, your organization should avoid placing accounts linked to APIs in highly privileged groups like the local Administrators or the Domain Admins group. Additionally, accounts linked to APIs should be periodically flagged and reviewed to make sure both that the API is still needed and that the level of access accorded to the API-linked accounts is still justified. 

Automation is the key

As digital transformation initiatives pick up their pace, API use and reliance is exploding within organizations. Given the complexity and scale of these integrations, the only way to manage their risk is for organizations to identify the API integrations onboarded into their IT environment  and then automate access reviews for the accounts and entitlements provided to the API integrations. 

That’s where Zilla comes in. Zilla’s technology allows companies to get visibility into the API integrations in use and review the permissions that API-based integrations have to cloud services. The platform’s automated collectors can gather account and permission data from both cloud services and on-premises systems. Workflow automation makes it easy for both user and API access to be reviewed, reducing the burden on your IT compliance teams.

If your firm is trying to assess the risk posed by API-integrations within your environment, or if you’re delivering next generation services and you’d like to learn more about how automation can help manage entitlements and keep you on the right side of state, federal and international data security regulations, contact Zilla!

Got Questions? Talk to Zilla! 

Zilla Security’s mission is to help organizations answer these questions, and streamline the process of managing entitlements for cloud-based infrastructure. Our solution delivers comprehensive visibility into permissions across SaaS, IaaS, PaaS, internally developed applications, and on-premises systems. We offer a broad suite of built-in integrations that can connect with any deployed service to monitor permissions and access settings. Automation eliminates manual and repetitive work and makes it easy for IT security staff, application owners or business managers to make the access decisions with confidence. 

If you want to learn more about how Zilla helps organizations stay on top of their third party and external identity risk, contact us!