Inserting API Access Security into the NIST Cybersecurity Framework 2.0 Conversation
The National Institute of Standards and Technology (NIST) recently released 2.0 of its Cybersecurity Framework (CSF). This version, the first update in ten years, marks a significant milestone in the growing influence of this important cybersecurity guidance document in the United States. Initially created only for organizations that support critical infrastructure, such as those in the defense, energy and emergency service sectors, the 2.0 version of the framework expands its scope to all organizations. It’s an acknowledgement of the fact that cybersecurity risks are now a pervasive reality for all of us, regardless of the industries we serve, and that the effects of these risks are growing in reach, severity and impact.
The CSF updates respond to the substantial changes that the technology landscape has undergone in the last decade. Today, most network environments are highly complex, requiring access to multiple cloud services, and they are usually geographically spread across multiple data centers and office locations. Additionally, application architecture has dramatically shifted to a growing number of distributed microservices.
Applications and Microservices Join the Frontlines of Defense
This change in application architecture has been the driving force behind Curity’s mission. In fact, it lies at the root of why we founded the company. In recent years, as we began to see the proliferation of applications and microservices being introduced into networks to handle key business operations and deliver greater functionality, we recognized an addition to the frontline in the cyber defense battle. The expanding numbers of applications and microservices introduce advanced layers of complex cybersecurity risks. In particular, we identified emerging gaps at the intersection of Identity and Access Management (IAM) with API integration points – gaps that must be addressed specifically and intentionally.
As we work to develop effective IAM solutions that mitigate API access risks, it’s edifying to see organizations like NIST providing valuable guidance on access management. The NIST Cybersecurity Framework as well as the NIST special publications outlining related controls have always included helpful insights into access control best practices, and now, the 2.0 version expands the scope of this guidance beyond critical infrastructure to all organizations. It underscores the necessity of the work we’ve been doing and helps amplify awareness of the access security problems we’re addressing.
However, the Cybersecurity Framework, particularly the core version of the CSF, doesn’t include specific guidance on API access security. While this is understandable given the fact that the CSF is intended to be universally applicable, it presents an opportunity for our industry to share more information about the importance of API access security. It requires us to raise awareness of how overlooking security at application integration points could be an undermining factor when it comes to developing cybersecurity readiness that can stand up to today’s digital threats.
API Access is a Critical Part of the Security Discussion
The CSF includes the category “PR.AA Identity Management, Authentication, and Access Control” under the “Protect” function of its guidelines. The definition of this category specifies that “access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access.” Under this category are six subcategories that provide more detail on the desired outcomes related to protecting access to systems and services, including user authentication and proofing credentials.
It is understood by knowledgeable practitioners that this implies that API access security falls within the parameters of these recommendations. However, not mentioning API access security specifically in the core section of the CSF is a missed opportunity to help address two crucial problems facing cybersecurity defenders:
1. Lack of Awareness Around API Vulnerabilities
Applications and microservices are not always sourced by those who understand the importance of API security. They are usually sourced in a variety of ways across the organization, from creating them in-house and purchasing from third-party providers to slipping in unknown when employees deploy them as shadow IT without permission from the technology team. With so many ingress points, it can be difficult to ensure everyone understands the risks associated with API integrations. This environment can also make it impossible to enforce security controls. Including API security considerations in cybersecurity guidance like the NIST CSF would go a long way in supporting IT and developer teams as they work to increase awareness in their organizations as they secure a growing number of diverse and distributed integration points.
2. Inadequate API Access Security Could Minimize Other Security Controls
API access security can be a defining factor in an organization’s overall cybersecurity stance. API integration points introduce risks that can potentially render all other security controls less effective. If an attacker or a virus is able to infiltrate an organization’s network through an API access loophole, least privilege access, network segmentation, early detection and thorough response plans can help, but the organization can still experience staggering damage. Including API access security in the list of recommended outcomes and tactics in official documentation would help elevate this topic to its rightful place in the overall security conversation.
Recognizing the Shift in Application Architecture
As NIST continues to evolve its invaluable and much-needed cybersecurity guidance to keep pace with dynamic technology and the changing threat landscape, application and microservice security will need to be an increasing part of the ongoing conversation.
We will continue to see exponential growth in applications and microservices as we ask for more sophistication from our technology and our digital world. This ongoing fragmentation poses more and more opportunities for exploitable vulnerabilities that reside in the integration points and spaces between solutions. It will force us all to deepen the conversation as we focus on the details that emerge from new application architecture developments and trends.