Embed API Security into Regulatory Compliance: Six Examples to Watch
Q: Why are enterprises being fined for API security incidents?
A: Because regulators are beginning to see what attackers already know: Exposed or misconfigured APIs are prevalent, easy to compromise, and often unprotected.
All it takes is one vulnerable API
Every time a customer, partner, or vendor engages with your business digitally, there’s an API behind the scenes that’s facilitating a rapid exchange of data — often sensitive data. Today’s attackers know that they don’t always need to engage in complex, multistep schemes to steal your data. Instead, they can bypass the go-between – for example, your applications – and directly target your APIs.
Does it matter if a 200-page regulatory document explicitly mentions, subtly implies, or vaguely indicates that securing APIs is important? Not really. Because a data breach is a data breach, no matter how or where it was executed. All it takes is one vulnerable API and your data can be compromised, stolen, or published for the world to see.
Data breaches are happening while you wait
Can API security wait while you prioritize the threats that your regulators are singling out, like ransomware? Unfortunately, no. APIs multiply in number and in risk, as enterprises roll out new digital products and services.
Seventy-six percent of organizations we surveyed have experienced an API security incident, and most don’t have the controls or tools in place to stop it. Meanwhile, the average cost of a data breach increases by 12.6% (to US$5.05 million) when an organization is highly noncompliant.
If you take a proactive approach to finding every API, assessing each one for risk, and securing them from breaches, you’ll be safeguarding your data from the exact outcomes regulators are trying to prevent."
How does this affect your compliance program?
If you take a proactive approach to finding every API, assessing each one for risk, and securing them from breaches, you’ll be safeguarding your data from the exact outcomes regulators are trying to prevent.
In this blog post, we present a high-level review of the six regulations and guidelines that indicate a need for API protection — and we’ll highlight key examples of ways to comply.
6 key regulations and frameworks
1. Payment Card Industry Data Security Standard (PCI DSS) Version 4.0
PCI DSS has become a global standard for protecting payment data. If your business accepts major credit cards and processes, stores, or transmits cardholder data electronically, you’re on the hook to comply.
PCI DSS 4.0 requirement 6.2.3 centers on the need for organizations to review their bespoke custom application code to ensure that no vulnerabilities are released into production. Specific to APIs, this requirement offers guidance to confirm an organization’s software securely uses external components’ functions (libraries, frameworks, APIs, etc.).
One of several ways to comply: Validate normal and expected behavior of API use and implement controls to block suspicious actors from abusing your systems (e.g., check the application’s behavior to detect logical vulnerabilities).
2. General Data Protection Regulation (GDPR)
GDPR is a European Union legislation that aims to strengthen and unify data protection for individuals within the European Union. However, GDPR is not limited to EU-based companies; any organization offering consumer goods or services in the European Union must comply.
GDPR Article 25 is rooted in least privilege, requiring companies to implement “technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose… are processed.” In turn, API developers should implement user authentication and authorization controls to safeguard the sensitive data flowing through their APIs.
This is a great example of how API security fits into your enterprise’s big-picture security and compliance programs. Concepts like least privilege aren’t only relevant to us humans; APIs should also have just the right amount of access to do their jobs.
3. Digital Operational Resiliency Act (DORA)
In total, more than 22,000 financial institutions and IT service providers in the European Union are affected by DORA’s requirements, which are meant to help organizations withstand and recover from cyberattacks.
How does API security fit into DORA? Let’s explore the nature of DORA Article 3, which requires organizations to use ICT solutions and processes that:
Minimize data-related risks, unauthorized access, and technical flaws
Prevent data unavailability, data loss, and integrity and confidentiality breaches
Ensure data transfer security
Given that APIs’ main purpose is to transfer data, it’s essential to regularly test your APIs for vulnerabilities, including a lack of authentication controls and unintended exposure to the public internet. By applying a shift-left approach to testing APIs, you can stop vulnerabilities from reaching production.
4. Health Insurance and Portability and Accountability Act (HIPAA)
HIPAA focuses on data privacy and security rules to safeguard protected health information (PHI) in electronic health records and healthcare IT systems. Any U.S. healthcare provider, plan administrator, or clearinghouse that electronically stores or transmits PHI must comply with HIPAA.
HIPAA’s Privacy Rule specifies that covered entities “must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce.”
Therefore, an organization’s API developers must embed technical safeguards such as authentication, unique user IDs, and role-based access controls to ensure least privilege is in place.
5. Network and Information Security Directive (NIS2)
The European Union adopted version 2.0 of the NIS directive in January 2023, which builds upon the original version’s guidelines for securing IT infrastructure and reporting incidents.
Of note, NIS2 includes a new emphasis on securing supply chains: Enterprises must now assess risk and secure their IT supply chains and third-party supplier relationships.
Since APIs are often used to integrate external services – from software vendors to cloud service providers – ensuring their security is key to showing regulators your organization is protecting its customers’ data and the broader supply chain from attacks.
6. Federal Financial Institutions Examination Council (FFIEC)
The FFIEC creates the guidance and standards for federal regulators to oversee the U.S. financial industry. This includes the Federal Reserve and FDIC. The council’s mission is to protect consumers and investors from fraud, abuse, and misconduct.
In reviewing the FFIEC’s guidelines, it’s clear how securing APIs can help organizations protect consumers from fraud and identity theft. For example, the FFIEC recommends that enterprises build an inventory of all information systems – this includes APIs – that require authentication and access controls.
Authorization is also critical: The FFIEC recommends implementing layered security; for example, monitoring, logging, and reporting activities to identify and track unauthorized API access.
Securing APIs also means securing trust
The six regulations and guidelines discussed in this blog post have one thing in common: protecting the data that others have entrusted to you.
As you know, the stakes of an API data breach are about more than just fines. Trust and reputation are on the line — among your customers, employees, and the regulators that are covering your industry. Regulators need to see that you’re applying the right mix of people, processes, and tools to stop attacks like these from occurring.
Learn more
Would you like to gain a deeper understanding of the API-relevant requirements for the six regulations we’ve discussed in this post?