Two days after I joined Vorlon Security as their VP of Marketing, Gartner included Vorlon as a representative vendor in their report: Adapt Your Third-Party API Security to 3 Specific Use Cases. That’s a nice gift for a new VP of Marketing because third-party API security use cases are less understood than first-party ones. For the latter (the APIs you publish), we recommend Salt Security.
APIs—particularly third-party APIs—are often involved in data breaches, which can be far more damaging than traditional attack vectors. The Gartner report outlines how third-party APIs introduce unique and complex security challenges requiring a distinct risk management approach.
Earlier this year, Gartner published its Market Guide for API Protection, pointing to emerging capabilities in the API protection space, including API security governance and monitoring sensitive data flows. Vorlon Security is delivering these advanced capabilities today, and it was good to see Gartner expand on the need for these capabilities in its newest report.
API security governance means security teams can define and enforce security policies across their API ecosystem. This top-down enforcement ensures that APIs comply with organizational security policies and regulatory requirements.
Third-party API security governance gets tricky because point-in-time snapshots are of limited value and instead require continuous monitoring. Third-party APIs change with each new version, and each change can increase data exposure, cause regulatory violations, or break with company policy. Third parties may not even realize they are violating their obligations or causing privacy violations. Regulators are catching on and are increasingly asking for evidence of continuous monitoring.
Monitoring and managing sensitive data flows is essential for third-party API integrations, where data is frequently transferred to external vendors. Sensitive data in motion, such as personally identifiable information (PII), should be protected and monitored to prevent data leakage and unauthorized access or exfiltration.
Gartner’s newest report highlights three primary use cases for securing third-party APIs:
The first use case Gartner discusses is securing outbound data flows to third-party APIs, such as those used in payment processing or customer information sharing. This scenario poses significant risks, as threat actors could exfiltrate sensitive data if these connections are not secured.
According to the OWASP Top 10 for API Security, number 9 on Improper Inventory Management creates "data flow blindspots" that hinder incident response. OWASP emphasizes that maintaining a thorough inventory of sensitive data flows is crucial for effective incident response, especially if a breach occurs on the third-party side.
A "data flow blindspot" is present if:
Without proper inventory and visibility into these data flows, organizations leave themselves exposed to data breaches, compliance violations, and regulatory penalties.
– OWASP Top 10 for API Security – number 9: Improper Inventory Management
To mitigate these risks, Gartner suggests:
Vorlon Security’s Approach: Vorlon addresses this Gartner use case and OWASP’s recommendations by cataloging and monitoring every data transfer, ensuring each sensitive data flow is justified and secure. This inventory plays a crucial role in incident response, helping organizations swiftly identify and address data leaks if a breach occurs. We also help security teams apply the principle of least privilege (PoLP) to APIs, thus avoiding overly permissive data sharing.
Questions to consider for your organization:
In the UI shot below, Vorlon has discovered internal IPs communicating with ServiceNow. To facilitate reporting and compliance, you can name those internal IPs.
The second use case involves inbound data from third-party APIs, such as customer or transaction data from SaaS providers. While this data can enhance business capabilities, it also opens the door to potentially harmful input. Gartner warns that malicious payloads from these APIs can endanger applications, users, or the hosting infrastructure.
To combat these threats, Gartner recommends:
Vorlon Security’s Approach: Vorlon safeguards inbound data consumption using techniques similar to outbound flows. In addition, its behavioral analytics engine inspects all inbound data traffic, identifying suspicious behavior and IPs on VirtusTotal’s IP and domain bad reputation list.
Questions to consider for your organization:
The third use case Gartner describes is SaaS-to-SaaS API connections, where multiple SaaS applications interconnect to share data. While these connections can streamline workflows, they often happen outside traditional oversight, making it difficult to ensure data security. Gartner notes that sensitive data leakage is a common risk in these scenarios.
Gartner’s recommendations include:
Vorlon Security’s Approach: Vorlon includes SaaS-to-SaaS data governance features that provide visibility into all API interconnections, allowing organizations to monitor and manage data shared between applications. Vorlon will even go beyond third-party apps and discover the entire supply chain of interconnections and data flows across 3rd, 4th, and 5th parties. With the continuous discovery of inter-application API connections, Vorlon ensures that unauthorized data sharing is detected and managed according to organizational policies.
It’s worth noting that SSPM is of limited use here. Only Vorlon can give you visibility into which sensitive data is shared between SaaS applications so you can govern data sharing and mitigate risks. Vorlon also creates a baseline of traffic and data moving through your third-party application ecosystem and then alerts you to anomalies. Critical to this use case and others, you can apply the principle of least privilege (PoLP) to APIs, thus avoiding overly permissive data sharing.
Questions to consider for your organization:
In the UI shot below, Vorlon shows that 15 apps share sensitive data across the Google Workspace app ecosystem. In this case, three levels deep: 3rd, 4th, and 5th party. Vorlon allows you to see the sensitive data each app is exposed to by the API it consumes or publishes (data flowing in and flowing out). Vorlon also detected a new unknown connection into your Google Workspace (upper right), which happens to be coming from an IP address of ill repute, as per VirusTotal (which comes pre-integrated with Vorlon).
Gartner’s insights underscore the need for proactive, multi-layered security strategies for third-party API protection. Traditional API security measures alone are insufficient, as third-party APIs introduce unique risks. Vorlon provides the advanced capabilities organizations need to secure all three use cases outlined by Gartner.
To effectively protect your organization’s third-party API ecosystem, consider the following:
Key Takeaway: Vorlon helps ensure your business can leverage third-party APIs securely and confidently.
For a deeper dive into securing your third-party APIs and protecting your sensitive data in motion, contact Vorlon today.
Sources:
Gartner, Market Guide for API Protection, Dionisio Zumerle, Aaron Lord, Esraa ElTahawy, Mark O'Neill, 29 May 2024
Gartner, Adapt Your Third-Party API Security to 3 Specific Use Cases, Dionisio Zumerle, Charlie Winckless, Esraa ElTahawy, 7 November 2024
Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark, and PEER INSIGHTS is a trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally. All rights reserved.