Zero Trust API Security Architect

The cybersecurity threat landscape has changed dramatically in the last couple of years. Every day new kinds of threats are coming and impacting the organization’s business. Infosec/Security teams have always had challenges with this new threat to find the root cause and mitigate these risks.

To mitigate and overcome these constant/real-time threats and risks, the security fraternity introduces Zero Trust Architecture (ZTA) Or Zero Trust Strategy (ZTS).  ZTA is not a product or application, but it is a concept and practice to mitigate any risk for your organization.

What is ZTA/ZTS?

Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by continuously validating for security configuration and posture before being granted or keeping access to applications and data across users and their associated devices. All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.

Here are the basic properties for ZTA/ZTS

  • Default deny
  • Access by policy only
  • For data, workloads, users, devices
  • Least privilege access
  • Security monitoring
  • Risk-based verification

How API implement ZTA/ZTS?

API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). In API security we establish certain rules and processes to mitigate security risks.  These rules and processes are around Zero trust architecture or strategy. Here are a few basic strategies in API security to implement ZTA.

  1. All API communications are secured regardless of network location – This risk can be mitigated by ensuring all communication happens over an encrypted communication channel (TLS) and implementing a proper Cross-Origin Resource Sharing (CORS) policy. The endpoint for API needs to be exposed through the HTTPS protocol.
  2. All API endpoints are authenticated regardless of their environments (Prod, QA, Dev) — By default, all APIs need to be authenticated and authorized using username/password, JSON Web Token (JWT), OAuth, OpenID Connect, or third-party services.
  3. All API resources are protected and restricted to all users by default — Running multiple versions of an API requires additional management resources from the API provider and expands the attack surface. As per ZTA, make sure all API versions and their resources are restricted if it is not used by the user. Always validate and properly sanitize data received from integrated APIs before using it.
  4. Access to API resources is determined by dynamic policy including the client identity, application/service, and the requesting asset – Any API requires resources such as network bandwidth, CPU, memory, and storage. It is easy to exploit these resources by simple API calls or multiple concurrent requests. According to Zero Trust Architect, all APIs must implement API policies like:
    • Client identity (ClientID/Client-Secret)
    • Execution timeouts (Rate limiting)
    • Maximum allowable memory
    • Maximum number of file descriptors
    • Maximum number of processes
    • Maximum upload file size
  5. Implement or configure API monitoring posture and API Alert system — API monitoring helps identify and resolve performance issues as well as security vulnerability issues before they negatively impact users, which can impact user experience. The alert system notifies the operation team to mitigate risk quickly.
  6. Continuous API security risk assessments – Continuous risk assessments help the Infosec/Security team identify any security risk gap. By conducting the security risk assessments, organizations establish a baseline of cybersecurity measurements, and such baselines could be referenced to or compared against future results to improve overall cyber posture and resiliency further and demonstrate progress. A Free Security assessments tool VAT is available to mitigate any security risk for your organization.

https://www.vanrish.com/secassessment/

Organizations that have adopted the Zero Trust API model, see trust as fundamental to creating a positive, low-friction work culture for their clients and empowering the organization at all levels. Many of our Vanrish Technology clients, we worked with have many of the technologies in place that can be leveraged toward full Zero Trust architect model adoption.

Retail 2023: The new Trend

From the last few years COVID pandemic has changed the whole Retail business spectrum in ways we could have never imagined before. Exploring new and accelerated trends gives us an indication of how this evolution will continue into the new normal. This pandemic also leads to closure of countless stores and bankruptcy. After surviving from the pandemic, inflation is hard hitting Retail business. Supply chain is also getting impacted with the Russia-Ukraine war. Now experts are saying that the greatest risk facing global supply chains has shifted from the pandemic to the Russia-Ukraine military conflict and the geopolitical and economic uncertainties.

With all this news for Retail industries, customer expectations and habits have shifted. Customers expect engagement on values to go beyond point of purchase to creating moments of engagement across the full journey. Now retailers have been compelled to find new ways to connect with consumers in a personalized and tailored way in-store as well as online to make a more intuitive experience. Retailers are going more digitized in their approach to connect with customers.

This is how retailers are moving forward to reach a wider customer base and lure their product. 

  1. e-commerce Technologies – In pandemic time if your business presence was not online then you will be out of business quickly. So Retailers have increased investment in e-commerce technologies. They increased the budget for digital transformation. To get ahead of competition, they are offering a mix of digital and physical experiences ahead of their rivals. Retailers are also focusing on customer service and providing seamless service experience across messaging, web and mobile channels. Retailers are creating a cohesive and connected customer shopping journey with e-commerce and unified data across systems.
  1. Infrastructure– Retailers are upgrading their instore as well as online infrastructure. They are replacing traditional store signs with digital signs and screens to display ads and videos. They are also adding kiosks and self-checkouts within the store. This is making the shopping experience more convenient and personalized. Shoppers are in and out, without having to make small talk or wait in queues. Deployment of in-store technologies double in a year.
  1. API-first and Cloud – Retailers are focused on Composable architecture. Composable architectures are key players to  implement successful digital transformations and most engaging digital experiences. 2023 will be a year of focus for retailers to remove entirely their legacy monolithic architectures. API-first and Cloud based solutions help retailers to switch to new functionality without the need for significant investment and resources. This will reduce the incredible amount of time and cost of ownership of a fraction of legacy technologies. API-first connectivity helps customers to shop anytime, anywhere and anyhow
  1. Customer experience – Customer experience is the one the main focus for Retailers this year. The focus of customer experience is online as well as in store experience. Retailers are providing customers enhanced assisted-selling experiences through assisted Selling. They are also focusing online customers through distributed OMS (Order Management System), Omni-channel and remote Selling. Retails are preparing for next level customer experience through loyalty(customers long-term relationships), native App and AI based digital fitting room.
  1. Merchandising & Supply Chain – Retailers are providing real time tracking and inventory information to their customers. They are also providing purchase incentives to their loyal customers so that they can keep engaging customers for their products. Retailers are also focusing on upgradation of warehouse management (WMS) to fulfill in-store as well as online orders.