For attackers, Sun Tzu’s “The Art of War” has guidance on war strategy. For starters, “All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”
Another is: “In war, the way is to avoid what is strong and to strike at what is weak.” What if one is not an attacker, but is on the gentler side of things? Merriam-Webster’s dictionary says a strategy is “a careful plan or method.” The Cambridge dictionary says it’s “a detailed plan for achieving success in situations such as…business, industry…or the skill of planning for such situations.” Harvard Business Review says that strategy is not the same as operational effectiveness but is “about being different. It means deliberately choosing a different set of activities to deliver a unique mix of value.”
The value of strategy
Having a strategy is essential for several reasons, regardless of the area to which it is applied. Here are several key reasons for having any kind of strategy:
- Direction, Purpose, and Alignment: A strategy defines one’s long-term goals and objectives, helping stay focused on what you want to achieve. A well-defined strategy also ensures that all members of an organisation or team are on the same page. It aligns everyone’s efforts towards common objectives to improve overall efficiency and productivity.
- Resource Allocation: Strategy helps in effectively allocating resources. It ensures that resources are used efficiently and productively to achieve the desired outcomes.
- Risk Management: A strategy includes a plan for mitigating the risks and challenges that could arise. By considering potential obstacles, one can reduce the likelihood and impact of negative outcomes.
- Competitive Advantage: In business and other competitive environments, a strategy can provide a competitive advantage. It helps organisations differentiate themselves from competitors and find unique ways to meet customer needs.
- Adaptation to Change: Strategies are not static; they evolve over time. Having a strategy allows for flexibility and adaptability in the face of changing circumstances, whether in response to market shifts, technological advances, or unforeseen events.
- Measurement and Accountability: Strategies often include KPIs (key performance indicators), which provide a basis for measuring progress and holding individuals or teams accountable for their contributions to the strategy’s success.
- Effective Decision-Making: A strategy serves as a framework for decision-making. When you encounter choices or challenges, you can refer to your strategy to make informed decisions that are in line with your long-term goals.
Applying these concepts to information security and cyber security in general, we can easily see that having a strategy is a) nothing novel and b) applicable to all. Just fill in the blank for: Strategy for ______________ (e.g., business, family, sports, non-profit) and you’ll see that it crosses all fields and borders.
Filter down further for Security, then API security, and that’s where we are now.
The security strategy is derived from mission and vision of org; and since innumerable businesses use APIs, those orgs need to include APIs in their strategy.
Let’s open the box (not Pandora’s box, I hope!), and look even closer.
The gears of API security strategies
An API (Application Programming Interface) security strategy is a plan or set of measures designed to protect the integrity, confidentiality and availability of APIs in an organisation. APIs are essential for enabling communication between software systems, but they also represent potential security risks if not adequately protected. A robust API security strategy aims to mitigate these risks and ensure the secure operation of APIs.
Here are several key components of an API security strategy:
- Authentication and Authorisation: Ensuring that only authorised users or systems can access your APIs is fundamental. And once a user or system is authenticated, it’s essential to define and enforce proper access controls and permissions. This ensures that they can only access the resources or perform actions they are authorised to.
- Encryption and API key management: Data transmitted over APIs should be encrypted to prevent eavesdropping and data breaches. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) should be used to secure API communications. If you’re using API keys for authentication, it’s crucial to manage them securely. This includes rotating keys, restricting their usage, and monitoring their usage for suspicious activity.
- Rate limiting: Implementing rate limiting can protect APIs from abuse or overuse. By restricting the number of requests a client can make within a specific time frame, one can prevent denial of service attacks and API abuse.
- Data validation and input validation: Ensuring that data sent to the API is properly validated can help prevent common security vulnerabilities, such as injection attacks.
- Monitoring, logging, and alerting: Implementing comprehensive logging, monitoring, and alerting for your APIs is essential for detecting and responding to security incidents. Monitor for abnormal activity such as anomalous traffic patterns or unauthorised access attempts.
- API versioning: Managing API versions can help ensure that changes and updates do not break existing client applications or introduce security vulnerabilities. Well-defined versioning strategies are important for API stability.
- Security testing: Regularly testing your APIs for security vulnerabilities, such as through penetration testing and vulnerability scanning, can help identify and address weaknesses before they are exploited.
- Security awareness and training: Educating your development and operations teams about best practices for API security is essential. Ensuring that your staff is aware of potential risks and how to mitigate them is a key component of your strategy.
- Incident response plan: Have a well-defined plan in place for responding to security incidents related to your APIs. This includes steps for investigation, mitigation, communication, and recovery.
It’s not a place, it’s a journey
Back to Sun Tzu’s lessons on strategies, it’s important to understand how attackers think and what they do. A recent report shows that “unique attackers have grown by 400% within a six-month period. And yet, 30% of respondents still have no API security strategy in place.” Threat actors work smart against APIs – trying to deceive systems into thinking the attack is normal activity and scanning APIs to find the weak points and abuse those.
API security is not a single road trip from coast to coast but is an ongoing process. Robust API security strategies should be continuously reviewed, updated and improved to adapt to changing security landscape and business requirements.