Authentication is the process of verifying who someone is and authorisation is the process of verifying what specific applications, files and data a user has access to. The two are key pillars of any API security process.
Our respondents were utilising open authorisation standards to classify the data resources sitting under their APIs and implement clear frameworks for access control. While we found that authorisation practices were well understood and routinely implemented, authentication was in more of a state of flux.
Token-based authentication was common among small to medium sized enterprises. We found organisations were actively seeking ways to enhance the security of their authentication methods. For example, by automating the expiry and re-allocation of tokens after set periods of time.
Beyond passwords
Across industries and organisational types, we identified a common desire to move away from username and password based authentication. The reasons cited included the risk of password leakage and the poor UX that comes from asking users to repeatedly enter passwords.
Zero trust
Our respondents described authentication and authorisation best practice methods which aligned with Zero Trust methodologies including:
1.
2.
Continuous unit and integration testing and monitoring of datasets and APIs. To ensure that authentication and authorisation is effectively in place across all the potential doorways to data.
Applying no distinction between users inside or outside of an organisation’s network. So that individuals and devices trying to access an API are continuously validated.
Respondents from highly regulated industries including healthcare, finance and telecommunications were the most advanced in the use of Zero Trust methodologies.
What’s stopping organisations from implementing a Zero Trust security model?
On first appearance, the benefits of a Zero Trust environment are self-evident. By eliminating the concept of trust from an organisation’s network architecture, organisations can implement the highest levels of access control and security.
Yet counter-intuitively, we found that some organisations reported grappling with security in their transition to Zero Trust. Building a Zero Trust network across a medium or large-scale organisation is no mean feat. It is a highly technical undertaking and requires a skilled team.
Human error
Our respondents told us that it can be all too easy for in-house teams to overlook high quality and standardised implementation of authentication and authorisation protocols in the race to market.
If authentication and authorisation is not implemented and standardised across an ever expanding and changing landscape of devices and users, a Zero Trust strategy can become undermined and ineffective.
Looking for solutions
To combat this, our respondents were increasingly looking to API management tools to oversee authentication and authorisation. This has enabled their internal teams to focus on the business logic of their APIs.
Our respondents recognised the value of having an abstracted layer on top of APIs to add an extra level of security assurance and create a separation of concerns.