Traceable AI Unveils API Security Reference Architecture Founded on Zero Trust

By Erik Linask, Group Editorial Director  |  June 05, 2023

In a bid to revolutionize cyber security, Traceable AI, a provider of API security, has announced the debut of what it claims is an industry-first API Security Reference Architecture for Zero Trust.  This reference architecture is designed to serve as a blueprint for security leaders, addressing the urgent need to integrate API Security into the Zero Trust Security initiatives.

APIs are an integral part of modern digital services and applications, allowing the various applications we all use every day to interact seamlessly to create significant operational efficiencies.  However, as APIs have become more prevalent, they've also become a significant target for cyber attacks. This development has highlighted the importance of robust API security measures, something that has been somewhat overlooked in traditional cyber security strategies.

Zero Trust is a cyber security paradigm that posits the importance of continuous verification and minimization of the attack surface, following the core principle, "Never trust, always verify."  In traditional network security models, entities (users, devices, applications) inside the network are generally considered trustworthy.  However, this can expose the network to insider threats and lateral movement of malicious actors within the network, and increasingly common occurrence.  The Zero Trust model eliminates this inherent trust and instead requires continuous verification of all entities trying to access network resources, regardless of their location (inside or outside the network).

It has been a successful strategy for a broad range of organizations, including mutli-national enterprises and even the U.S. government.  However, traditional Zero Trust approaches have primarily focused on network-level controls and identity access management, often sidelining the critical API layer.

The newly announced API Security Reference Architecture by Traceable is aligned with the The National Institute of Standards and Technology (NIST) Zero Trust Architecture (ZTA), a vendor-neutral framework adopted by various government entities and leading cyber security vendors.

The NIST ZTA consists of several key components:

Policy Engine (PE) – This is the heart of the ZTA, responsible for making access decisions based on policies. When an entity requests access to a resource, the PE makes a decision based on various factors such as the identity of the entity, the context of the request, and the policies in place.

Policy Administrator (PA) –  The PA is responsible for establishing and managing the policies that the PE enforces.

Trust Engine (TE)  – The TE collects data and maintains trust scores for entities based on behavior, anomalies, and other factors.

Data Sources (DS) – These provide the necessary data for making access decisions. Data sources can include Identity and Credential Access Management (ICAM) systems, threat intelligence feeds, public key infrastructures, and more.

Control Plane/Data Plane – The control plane carries out the PE's decisions, while the data plane is where data is transferred between entities once access is granted.

Non-Person Entity (NPE) – NPEs, such as IoT devices or applications, are also considered in the ZTA, as they may also require access to network resources.

Continuous Diagnostics and Mitigation (CDM) Systems – These systems continuously monitor and assess the security posture of the network, providing essential data to the PE and PA.

By implementing a Zero Trust Architecture, organizations can enhance their security posture by reducing their attack surface, preventing lateral movement within their network, and improving their ability to adapt to the evolving cyber threat landscape. The NIST ZTA provides a standardized, vendor-neutral framework that organizations can use as a guide when implementing Zero Trust.

This alignment ensures compatibility, interoperability, and adherence to industry standards, making it a trusted guide for organizations implementing Zero Trust for their APIs.

Key Features of Traceable’s Reference Architecture

The comprehensive architecture provides organizations with a methodological approach to operationalize Zero Trust for APIs. Key features include:

  • Advanced API Security – This reference architecture provides organizations with a strategy to implement robust security measures specifically designed for APIs, thereby mitigating the risk of API-related vulnerabilities and data breaches.
  • Comprehensive Risk Management – The framework recommends incorporating automatic user authentication and authorization, granular data access policies, and asset risk assessments to effectively manage and mitigate risks associated with API access and usage.
  • Increased Visibility and Control – It underscores the importance of obtaining granular visibility, which allows organizations to monitor and record all API transactions, enabling better analysis, threat detection, and incident response capabilities.
  • Improved Compliance and Data Protection – Automatic identification and classification of sensitive data sets ensure compliance with data protection regulations, reducing the risk of regulatory penalties and reputational damage.
  • Seamless Automation and Orchestration – The architecture recommends integration with XDR, SIEM, and SOAR solutions, enhancing the overall security posture, automating response actions, and streamlining security operations.
  • Scalability and Flexibility – The architecture offers a flexible distribution model for Policy Enforcement Points (PEPs) and data collection points, allowing organizations to scale their API security infrastructure based on their unique requirements and architecture.
  • Future-Proofing – By aligning with the NIST Zero Trust Architecture and industry standards, organizations adopting the API Security Reference Architecture can ensure compatibility, interoperability, and the ability to evolve alongside emerging technologies and security best practices.

"APIs provide a new means of applying controls across enterprise applications, but the security practices for APIs have not yet matured, leaving a significant gap in the overall attack surface,” said cyber security expert Dr. Chase Cunningham.  “Traceable's API Security Reference Architecture helps fill this gap by providing organizations with a systematic way to secure their APIs with Zero Trust principles."

Over the past year, Traceable has reaffirmed its commitment to extending Zero Trust methodologies to API Security.  The addition of John Kindervag, the creator of Zero Trust, and Dr. Chase Cunningham, fondly known as Dr. Zero Trust, to its advisory team has reinforced Traceable's expertise in this domain.

With this reference architecture, Traceable is paving the way towards a future where APIs can be secured with the same robustness and diligence as any other part of an organization's network.  It highlights the importance of APIs in the digital ecosystem, emphasizing the need for comprehensive security measures that align with Zero Trust principles.

This approach by Traceable is even more critical given the proliferation of APIs across all industries.  As APIs become an integral part of business operations, their protection becomes a pressing need.  By providing a framework that is specifically designed to tackle API security, Traceable is empowering organizations to protect their digital assets more effectively, thereby reducing the risk of cyber threats and data breaches.

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]