It should come as no surprise to anyone that a major breach has occurred at OPM and took many months to detect. For far too long the cybersecurity industry has focused attempts at trying to understand a network through heuristics and analytics without the capability to enforce what the systems in the network are actually meant to do, and what information they are meant to receive and send. There are literally billions of dollars spent each year on cybersecurity initiatives that attempt to wrap networks in a layer of detection software that is supposed to be able to detect anomalies and threats. The missing fact is that these systems do not have the business logic visibility and are not often able to even see the underlying encrypted information itself in the full request/response payload contexts. Thus, the result is guesswork at best.
The breakdown of capability is that there has long been a divergence of the cybersecurity community and the enterprise architecture community. One side handles the business logic, the other side handles the security. The problem is that technology has evolved, and the networks are no longer able to be secured using passive IDS heuristics with monitoring and alerting. That approach is insufficient and fails to bring forward two of the most important technology capabilities that should both reside within the cybersecurity architecture tier: Information Assurance and Identity.
Information Assurance speaks to the broader spectrum of data security capabilities such as digital signatures for integrity, encryption for privacy, and data validation for conformance. These security capabilities are necessary for modern-day cybersecurity intrusion prevention and data leakage protection. This capability requires a deeper contextual parsing and analysis of the information flows, and the architecture philosophy of an intermediary which provides the policy abstraction and centralized processing and enforcement.
Identity represents an essential aspect of understanding who the consumers of information are, what information they are allowed to access, what data is being sent in, and what data is being returned. Identity is a capability that is often looked upon as merely Identity Management and Federation, or the means of establishing a trusted user. However, it is not sufficient to consider a user trusted based on identity alone, it is also necessary to validate trusted behavior. Trusted behavior is the expectation that users, devices, and systems are communicating within the expected boundaries of information assurance. It is an architecture design flaw to consider a user trusted without also being able to monitor and validate trusted behavior. Not combining identity with data security will always fall short of being able to detect such breaches. We have come to a point in the evolution of computing technology where identity and data security must be combined at the same tier – the information borders, or the communication points of services and applications, commonly referred to as the APIs.
API security is the technology space devoted to converging cybersecurity with enterprise architecture. API security is a terminology that designates the ability to define informational boundaries and converge the functions of privacy, integrity, trust, and identity in one technology capability. API security is accomplished through a gateway design principle that enables a zero trust model of system intercommunication as well as outside protection to exposure and vulnerability of information and services. API Security is bi-directional, which enables a substantially higher contextual ability to detect threats and behavior abnormalities as well as the ability to control and shut off these data flows when they are determined to be under attack.
API security leverages concepts of attribute-based access control by combining identity attributes with payload attributes and protocol attributes. By combining these attributes with information assurance concepts such as threat, trust, and privacy, thus bringing full context to the request/response transaction streams to enable clean integration and business communications, while maintaining a modern architecture for data protection and threat mitigation.
It is time that the cybersecurity industry embrace the concepts of API security principles. The stakes are getting quite high.