Understanding the Zero Trust API Security Model

August 29, 2023 | by Jonathan Care

Zero Trust API Security

In the realm of cybersecurity, the Zero Trust model has emerged as a potent strategy to counteract the ever-evolving landscape of threats. The model’s core principle is simple: “Never trust, always verify.” This concept is particularly relevant when applied to API (Application Programming Interface) security, where the stakes are high due to the sensitive nature of data being exchanged.

What is Zero Trust?

The Zero Trust model is a security concept centered on the belief that organizations should not automatically trust anything inside or outside their perimeters. Instead, they must verify anything and everything trying to connect to their systems before granting access.

This approach is a departure from traditional security models, which operated on the assumption that everything inside an organization’s network was safe. However, with the rise of remote work, cloud computing, and mobile devices, the traditional perimeter-based security model has become obsolete.

Zero Trust and API Security

APIs are the backbone of modern application architecture. They allow different software applications to communicate and share data, making them a critical component of digital transformation strategies. APIs also present a significant security risk if not properly secured, however, as they can provide a potential entry point for malicious actors.

The Zero Trust model is especially relevant for API security. APIs often handle sensitive data, and the consequences of a breach can be severe. By applying the Zero Trust model, every API request is authenticated, authorized, and validated before any action is taken.

On the hunt for the Rogue API

It’s equally important to discover and manage rogue APIs. These are APIs that have been developed and deployed without proper oversight from the IT or security team. They can be a significant security risk as they often do not adhere to the organization’s security policies and can provide a backdoor for attackers.

To discover rogue APIs, organizations can use automated discovery tools that scan the network for API traffic. These tools are able to identify APIs that are not listed in the organization’s directory and flag them for further investigation.

Once a rogue API is discovered, it should be evaluated to determine if it can be brought into compliance with the organization’s security policies; if it can’t, it should be decommissioned. In either case, the existence of rogue APIs should trigger a review of the organization’s API development and deployment practices to prevent similar occurrences in the future.

Implementing Zero Trust in API Security

  1. Authentication
    Every API call should be authenticated to verify the identity of the caller. This is typically done using API keys or tokens. OAuth 2.0 and OpenID Connect (OIDC) are commonly used protocols for API authentication.
  2. Authorization
    Once the caller’s identity is verified, the next step is to check if they have the necessary permissions to perform the requested action. This is where Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) comes into play.
  3. Validation
    Even after authentication and authorization, every API request should be validated. This includes checking the request against schemas such as an Open API specification for the expected data format, validating the data against business rules, and scanning for any malicious content.
  4. Encryption
    Data should be encrypted both in transit and at rest. HTTPS should be used for all API calls, and sensitive data stored should be encrypted using strong encryption methods.
  5. Regular Audits and Discovery of Rogue APIs
    Regular audits of API activity can help detect any unusual or suspicious behavior. This includes logging all API calls and monitoring for any anomalies, which might include unexpected spikes in traffic, unusual patterns of access, or the use of deprecated API versions. By implementing regular audits and proactive discovery of rogue APIs, organizations can ensure they have a comprehensive view of their API landscape. This visibility is crucial for maintaining a secure API environment and implementing a Zero Trust model.
  6. API Gateway
    An API Gateway can act as a single-entry point for all API calls, providing a layer of security. It can handle authentication, rate limiting, and other security measures, providing a buffer between your API and the outside world. An API gateway serves as a compliment rather than a replacement for API security, ensuring there are layers of security enacted to protect your organization’s APIs.

Final thought – Discover. Comply. Protect.

The Zero Trust model offers a robust framework for securing APIs. Implementing Zero Trust requires a shift in mindset to implement the necessary changes but the benefits of a Zero Trust approach to API security are clear: improved security, greater control over data access, and a more robust defence against the ever-evolving landscape of cyber threats.

The modern approach to API security requires three fundamental capabilities. Firstly, to discover APIs that are in use, including both officially sanctioned and unofficial APIs created to solve a DevOps tactical problem. Secondly, to ensure compliance with organizational policy and relevant regulatory requirements. Finally, an effective API security toolset must protect the organization against API misuse and subsequent mishandling of sensitive data.

Get an Attacker’s View into Your Organization

Free API Security Assessment

About the Author

Jonathan Care is a recognised expert in the field of Cybersecurity & Fraud Detection. A former top-rated Gartner analyst, Care was responsible for defining the Fraud market, and leading Gartner’s Insider Threat and Risk research. He regularly advises cybersecurity industry leaders on strategic growth and has worked with key figures in industry and government across the globe. He is a lead contributor for Dark Reading, an industry-defining publication.Care has testified in court as an expert witness and forensic investigator and is a Fellow of the British Computer Society. He also fuels his creative passion as a composer of film/TV music.

Social media: @jonathanhcare & https://linkedin.com/in/computercrime

Jonathan Care


Jonathan Care

Cybersecurity Advisor, Lionfish Tech Advisors

Additional Resources