More Than Shifting Left: Why Relying Solely on Third-Party Vendors to Get It Right Isn’t a Security Solution
A version of this blog post originally appeared in the March 2024 ISSA Journal.
Vorlon recently sponsored the ISSA Cyber Executive Forum event in Clearwater, and we heard some clear themes as we connected with CISOs. The first was that CISOs are coaching each other to become communications experts within the larger organization so they can make their case for resources across other departments and the C-suite. Many CISOs see the risks posed by an expanding network of app-to-app API connections, but need to educate others in the organization of the growing risk.
Another insight from the ISSA event highlighted a growing sense among CISOs about the challenges of serving as the broker to mitigate organizational risk. The SEC and others with regulatory power are placing a lot of pressure on companies to report everything faster, and to be more transparent about what happened in a breach. The fact that CISOs do not normally receive Directors & Officers Insurance means that they are at great risk of being held personally liable for decisions that are often out of their hands. The Uber data breach and the resulting conviction has everyone realizing that being a CISO is no honeymoon.
It was clear from speaking to so many CISOs that the third-party attack surface is a top priority, and gaining visibility seems to be a big first step with many struggling to figure out how to get that visibility.
Over-Permissive Access
What is the best way to secure the valuables in your house? Most folks will rightly start by securing the locks on their front door, back door, and garage to deter intruders. Newer technologies include smart features that allow us to activate features on-the-go, or from afar, for added flexibility and peace of mind.
But what about the other technology you use at home? Should your wifi-enabled toaster oven have access to your tax documents stored on your laptop? Should your smart fridge have access to the contact list on each family member’s smartphone? Should your smart thermostat be able to control the smart lock on your door?
As asinine as these statements sound, they are analogous to the state of enterprise cybersecurity today. Each department is purchasing new applications and tools to facilitate aspects of their job, and those new tools are being granted over-permissive access to systems they needn't ever touch.
Reasonable Measures & Duty of Care
The average enterprise in 2024 publishes anywhere from a few dozen to upwards of 200 APIs. And immense resources are deployed to secure those APIs you publish. Large internal product security teams with expensive toolsets are brought on to secure and maintain them. And rightly so – API security is incredibly important, and your organization should do everything possible to protect your customer and employee data. Even with those precautions in place, you can never guarantee 100% protection—it isn’t reasonable.
The same can be said of the vendors whose services and applications you consume. Think of all the time, energy, effort, and money spent to secure the APIs your company publishes. Despite those efforts, there’s no guarantee of absolute protection. Multiply that by the number of APIs your enterprise is consuming. Your third-party attack surface is exponentially larger and with little to no control over how others handle their own APIs.
The reality is that app-to-app communication—or non-human communication—is the majority of web traffic today (nearly 83% according to Akamai). The average enterprise consumes more than 25,500+ APIs. And the problem only gets bigger with every new application connection that is made. You might not worry about securing your house from your toaster oven, but if you had to give your smart lock combination to 3 new smart devices every hour every day, you are bound to have questions about how they are making use of such connections.
Proactive Third-Party API Security
Some may dismiss any effort to secure another company’s product as unnecessary, noting the presence of legal agreements with each third-party vendor covering them in the event of a breach. But while your legal agreement may help you recoup financial losses in case of a vendor breach, it will not save you any of the operational efforts required to return your company to normal, nor prevent the brand reputation hits that come with being connected to a breach. Ultimately, relying on the legal agreement is effectively doing next to nothing to proactively protect your data in motion, and Duty of Care will ultimately fall on your organization in a legal proceeding.
The security solution is not to tighten the legal agreement, but to take a proactive approach to monitoring third-party API communications and managing them all in one place. It’s time to rethink the definition of API Security. Enterprises need to go beyond “shift left” with their own APIs. You as the CISO will need to lead the charge on communicating the importance of having visibility into the APIs the organization consumes. It’s time to enable your security team to proactively manage third-party APIs, monitor the data in motion, identify legitimate vs illegitimate traffic, and quickly remediate issues as they arise—not months after a leak is made public.
We are excited to sponsor the next ISSA Cyber Executive Forum taking place in San Francisco on May 4th-5th. To learn more about Vorlon and proactive third-party API security, visit us at vorlonsecurity.com and request a demo.