Two days after I joined Vorlon Security as their VP of Marketing, Gartner included Vorlon as a representative vendor in their report: Adapt Your Third-Party API Security to 3 Specific Use Cases. That’s a nice gift for a new VP of Marketing because third-party API security use cases are less understood than first-party ones. For the latter (the APIs you publish), we recommend Salt Security.
APIs—particularly third-party APIs—are often involved in data breaches, which can be far more damaging than traditional attack vectors. The Gartner report outlines how third-party APIs introduce unique and complex security challenges requiring a distinct risk management approach.
Gartner Market Guide for API Protection identified emerging capabilities
Earlier this year, Gartner published its Market Guide for API Protection, pointing to emerging capabilities in the API protection space, including API security governance and monitoring sensitive data flows. Vorlon Security is delivering these advanced capabilities today, and it was good to see Gartner expand on the need for these capabilities in its newest report.
What is API security governance?
API security governance means security teams can define and enforce security policies across their API ecosystem. This top-down enforcement ensures that APIs comply with organizational security policies and regulatory requirements.
Third-party API security governance gets tricky because point-in-time snapshots are of limited value and instead require continuous monitoring. Third-party APIs change with each new version, and each change can increase data exposure, cause regulatory violations, or break with company policy. Third parties may not even realize they are violating their obligations or causing privacy violations. Regulators are catching on and are increasingly asking for evidence of continuous monitoring.
What is monitoring third-party sensitive data flows?
Monitoring and managing sensitive data flows is essential for third-party API integrations, where data is frequently transferred to external vendors. Sensitive data in motion, such as personally identifiable information (PII), should be protected and monitored to prevent data leakage and unauthorized access or exfiltration.
Gartner Report: Adapt Your Third-Party API Security to 3 Specific Use Cases
Gartner’s newest report highlights three primary use cases for securing third-party APIs:
- Outbound data flows
- Inbound data consumption
- SaaS-to-SaaS API interconnections
Use Case 1 – Outbound Data Flows: Safeguarding Sensitive Information
The first use case Gartner discusses is securing outbound data flows to third-party APIs, such as those used in payment processing or customer information sharing. This scenario poses significant risks, as threat actors could exfiltrate sensitive data if these connections are not secured.
According to the OWASP Top 10 for API Security, number 9 on Improper Inventory Management creates "data flow blindspots" that hinder incident response. OWASP emphasizes that maintaining a thorough inventory of sensitive data flows is crucial for effective incident response, especially if a breach occurs on the third-party side.
.png?width=150&name=OWASP_Full_Logo_R_Black%20(1).png){kind=logo}
A "data flow blindspot" is present if:
- There is an unmonitored flow of sensitive data shared with a third party,
- There is no business justification or approval for the flow,
- There is no inventory or visibility of the flow,
- There is no detailed view of what sensitive data is being shared.
Without proper inventory and visibility into these data flows, organizations leave themselves exposed to data breaches, compliance violations, and regulatory penalties.
– OWASP Top 10 for API Security – number 9: Improper Inventory Management
To mitigate these risks, Gartner suggests:
- Data loss prevention (DLP) approaches to monitor outgoing data and detect any potential leaks.
- Transport security to ensure data is securely transmitted.
Vorlon Security’s Approach: Vorlon addresses this Gartner use case and OWASP’s recommendations by cataloging and monitoring every data transfer, ensuring each sensitive data flow is justified and secure. This inventory plays a crucial role in incident response, helping organizations swiftly identify and address data leaks if a breach occurs. We also help security teams apply the principle of least privilege (PoLP) to APIs, thus avoiding overly permissive data sharing.
Questions to consider for your organization:
- Do you have a complete inventory of all sensitive data flows to third-party APIs?
- Is there deep visibility into the types of sensitive data shared with each third-party API?
In the UI shot below, Vorlon has discovered internal IPs communicating with ServiceNow. To facilitate reporting and compliance, you can name those internal IPs.
Use Case #2 - Inbound Data Consumption: Blocking Malicious Payloads
The second use case involves inbound data from third-party APIs, such as customer or transaction data from SaaS providers. While this data can enhance business capabilities, it also opens the door to potentially harmful input. Gartner warns that malicious payloads from these APIs can endanger applications, users, or the hosting infrastructure.
To combat these threats, Gartner recommends:
- Input validation to verify data authenticity.
- Content inspection to detect and block malicious payloads.
Vorlon Security’s Approach: Vorlon safeguards inbound data consumption using techniques similar to outbound flows. In addition, its behavioral analytics engine inspects all inbound data traffic, identifying suspicious behavior and IPs on VirtusTotal’s IP and domain bad reputation list.
Questions to consider for your organization:
- How do you currently validate incoming data from third-party APIs?
- Are there mechanisms to identify suspicious traffic?
- Can you inspect content and prevent malicious input?
- Are the inputs you will accept across your third-party API ecosystem overly permissive?
Use Case #3 – SaaS-to-SaaS API Connections: Managing Data Sharing Risks
The third use case Gartner describes is SaaS-to-SaaS API connections, where multiple SaaS applications interconnect to share data. While these connections can streamline workflows, they often happen outside traditional oversight, making it difficult to ensure data security. Gartner notes that sensitive data leakage is a common risk in these scenarios.
Gartner’s recommendations include:
- SaaS security posture management (SSPM) tools to continuously monitor SaaS connections.
- Data governance to establish control over data sharing between interconnected applications.
Vorlon Security’s Approach: Vorlon includes SaaS-to-SaaS data governance features that provide visibility into all API interconnections, allowing organizations to monitor and manage data shared between applications. Vorlon will even go beyond third-party apps and discover the entire supply chain of interconnections and data flows across 3rd, 4th, and 5th parties. With the continuous discovery of inter-application API connections, Vorlon ensures that unauthorized data sharing is detected and managed according to organizational policies.
It’s worth noting that SSPM is of limited use here. Only Vorlon can give you visibility into which sensitive data is shared between SaaS applications so you can govern data sharing and mitigate risks. Vorlon also creates a baseline of traffic and data moving through your third-party application ecosystem and then alerts you to anomalies. Critical to this use case and others, you can apply the principle of least privilege (PoLP) to APIs, thus avoiding overly permissive data sharing.
Questions to consider for your organization:
- How do you manage data shared between interconnected SaaS applications?
- Is there a process in place to monitor and govern these connections?
In the UI shot below, Vorlon shows that 15 apps share sensitive data across the Google Workspace app ecosystem. In this case, three levels deep: 3rd, 4th, and 5th party. Vorlon allows you to see the sensitive data each app is exposed to by the API it consumes or publishes (data flowing in and flowing out). Vorlon also detected a new unknown connection into your Google Workspace (upper right), which happens to be coming from an IP address of ill repute, as per VirusTotal (which comes pre-integrated with Vorlon).
Proactive Third-Party API Security with Vorlon
Gartner’s insights underscore the need for proactive, multi-layered security strategies for third-party API protection. Traditional API security measures alone are insufficient, as third-party APIs introduce unique risks. Vorlon provides the advanced capabilities organizations need to secure all three use cases outlined by Gartner.
To effectively protect your organization’s third-party API ecosystem, consider the following:
- Secrets management: Vorlon continuously monitors the configuration and metadata of API secrets across third-party applications and helps avoid unauthorized access or data breaches.
- Data in Motion: Vorlon continuously monitors inbound and outbound data flows, ensuring sensitive information remains secure as it travels between third-party APIs.
- Real-Time Threat Detection: Vorlon ensures that malicious activities are detected and mitigated before they can compromise sensitive data.
- Top-down API Governance: Vorlon provides the data governance needed to manage SaaS-to-SaaS interconnections securely.
Key Takeaway: Vorlon helps ensure your business can leverage third-party APIs securely and confidently.
For a deeper dive into securing your third-party APIs and protecting your sensitive data in motion, contact Vorlon today.
Sources:
Gartner, Market Guide for API Protection, Dionisio Zumerle, Aaron Lord, Esraa ElTahawy, Mark O'Neill, 29 May 2024
Gartner, Adapt Your Third-Party API Security to 3 Specific Use Cases, Dionisio Zumerle, Charlie Winckless, Esraa ElTahawy, 7 November 2024
Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark, and PEER INSIGHTS is a trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally. All rights reserved.