Securing Shadow APIs, If You can Find Them

I caught up with Doug Dooley, Chief Operating Officer of Data Theorem, at RSA. The theme he raised was one that I heard repeatedly during the conference: the loss of IT security control in the cloud. As companies migrate to the cloud, it’s easy for established security controls to fail. This can happen for a variety of reasons, but mostly the issue has to do with visibility. When people are deploying applications and building systems on-premises, security managers can see what’s going on. In the cloud, well-meaning people can do things (and not do things) that create hard-to-spot security vulnerabilities.

Shadow APIs are an example of this phenomenon. According to Dooley, corporate enthusiasm for the data analytics benefits of APIs and the cloud has led to a risky scenario where Developers or DevOps teams set up APIs that no one knows about, except them. The architecture of open APIs then allows external users to access sensitive data without detection.

The real problem here, as Dooley pointed out, is the inability of traditional API gateways to function effectively in the cloud. “If you’re relying on an on-premises gateway as a proxy for ingress and egress of data, you could easily miss a cloud-based shadow API that’s been set up outside of regular controls,” he said. “The API is in the cloud. Your data is in the cloud. It’s all happening outside of what you normally monitor.”

Serverless architectures further compound the security challenge. “If the API disappears from view when it’s not in use, you’ve made the shadow API into what’s essentially an invisible API. Good luck trying to find it,” Dooley further noted. If security controls are outsourced to the cloud provider, this is yet another obstacle to reliable policy enforcement.

In the case of Data Theorem, they were approached by a company that discovered it had a data leak. The problem was they couldn’t figure out where it was happening. The Data Theorem toolset was able to discover the culprit, which was a cloud API for geolocation data that had been deployed without the knowledge of IT security. “This was not a case of malicious intent,” Dooley said. “The API developer was just doing what he thought was his job. He hadn’t been completely briefed on procedure, however, so the API was just out there.”