By Robert Greenwood, Chief Product Officer
We are beginning to see more and more reports of companies suffering cyber attacks at the API layer of their organisations, the latest report is that Optus Telecom, Australia’s second largest telecoms company has leaked data via an API that had insufficient authorisation and authentication controls implemented. The attacker has demonstrated that they have real data - and are demanding $1m not to expose the data publicly (https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142).
OWASP API top ten shows us that this is a common theme, but why is this happening? Teams implementing APIs without appropriate knowledge and training? Code accidentally released without the appropriate policies implemented? The reality is that it could be any number of failings and that incidents like this again demonstrate that relying on a single authorisation and authentication factor is flawed and likely to fail at some point.
At eXate we believe that to truly secure APIs you must create strength in depth - keys and tokens get compromised, fact, so what else can we do? Our APIgator product is built to add that extra layer of confidence, APIgator is able to assess many facets of an API call and make decisions based on claims to deny or allow access to all or part of the data being delivered by the API.
Even if access to an API is compromised, the data travelling through the API is instantly secured and alarms raised because the appropriate claims have not been supplied, the attacker may have broken in - but the data being delivered by the API is still secure.
Create strength in depth for your API programme by protecting your data in real-time, don't just protect the API.
Request a Demo
Schedule a demo with one of our product experts today to learn about APIgator and how eXate automates and applies privacy and security to sensitive data in the right place and in the right form.