DevSecOps

Google Cloud’s New Approach To Reduce API Threats Costing Organizations Billions

Google Cloud Product Manager, Shelly Hershkovitz, explains the risks of API threats, and how the launch of Google Cloud’s new service will help improve detection and remediation of API threats.

Interview: Google Cloud’s New Approach To Reduce API Threats Costing Organizations Billions

APIs are an essential component of digital transformation. But as organizations continue to rely on APIs for automation, business processes, and customer experiences, cyber-criminals are looking to exploit their usage to expose and compromise valuable customer data. 

According to Google Cloud’s latest API Security Research Report, over 50% of organizations have been affected by an API security incident in the last 12-months. Imperva have estimated that API threats are costing between $41 and $75 billion USD annually. API risks are also having a major impact on the pace of innovation, with 53% of organizations delaying the launch of new services or applications due to concerns about API resilience. 

There is a crucial need for API security “across all industries and verticals,” to slow down the pace of threats, Shelly Hershkovitz, Product Manager at Google Cloud, told Expert Insights. The potential scale of API exploits is immense; API’s can be used to scrape the data of hundreds of millions of users, collecting data that is like gold dust to cyber-criminals.

API threats are on the rise for several reasons, Hershkovitz explains. Firstly, organizations are relying more heavily on API connections to run critical business services and processes. Secondly, there is a lack of best practices around API security, meaning APIs are often misconfigured or use outdated components with vulnerabilities that can be exploited by cyber-criminals.

A third major challenge is that API threats are very difficult to detect and remediate against. API attacks are difficult to detect with traditional security controls. As attackers leverage legitimate functionality to exploit vulnerabilities, they can bypass traditional security alerts and warnings. The volume of security alerts also contributes to this issue. Security teams are often overwhelmed by security alerts from an ever-expanding arsenal of cybersecurity tools. API threats and alerts can easily be lost amongst the noise, meaning they go undetected.

Google Cloud has today announced the introduction of Advanced API Security Machine Learning. This platform provides a range of dashboards that identity and add context to attacks that target APIs tied to intellectual property, business processes and sensitive information. This service is available as part of Google Cloud’s Apigee Advanced API Security solution.

Hershkovitz emphasizes these models have been trained by Google’s internal teams to protect their own public-facing APIs over the past several years. They work by monitoring patterns in API traffic, then notifying users with clear ‘human friendly’ alerts if anomalies are detected. This allows teams to help resolve the incident rapidly, thereby decreasing the potential damage done. 

As we head into the era of IoT, companies will continue to rely more heavily on API connections to drive innovation and build new customer experiences, Hershkovitz explains. Today there are already organizations running “thousands of API proxies” and making millions of API calls critical to the running of everyday business processes. And we still are right at the start of the API journey.

For this reason, API security is likely to become an even more critical for organizations to consider in the future, Hershkovitz says. Attacks are likely to become more frequent as systems and IoT technologies become more interconnected. 

Companies should build comprehensive API management plans and strategies in order to ensure customer data is protected and invest in API security tools to protect customer data and support long-term future innovation.