Taking Control of Customer IAM

Harish Nataraj
Harish Nataraj

May 15, 2022 · 3 min read

Identity & Access Management are critical for API Security

API Authorization Is Critical for API Security

Customer Identity and Access Management (CIAM) is how modern companies give their end users access to their digital properties, as well as how they govern, collect, analyze, and securely store data for those users.

Modern applications are built using APIs, and API Authorization is a core component of CIAM. This makes API Authorization a critical part of API Security!

Authorization as a Service — A Booming Market Category

OktaAuth0, and others have built billion dollar business on making API authentication simple and secure for enterprises.

There is a new wave of companies doing the same for API Authorization. Authorization as a Service is a fast growing market category driven by a slew of OSS and commercial vendors including ZanzibarStyraOsoPermit.ioAserto, etc.

Implementing API Authorization is Hard

Insightful blogs from Carta, and Gusto describe the significant effort involved in implementing and maintaining a robust/secure API authorization solution.

Suboptimal API authorization results in data breaches from exploits such as Horizontal Privilege Escalation, and Vertical Privilege Escalation.

Visualization of API Access Behavior is Critical

Often API authorization is retrofitted into existing applications, making visualization of authorization behavior a necessity.

Carta and Gusto describe how visibility of API access patterns was critical in implementing proper access controls.

Testing API Access Controls is Developer Toil

When you have hundreds of APIs spread across dozens of distributed service teams, ensuring that your API permissions are solid, is undifferentiated heavy lifting.

API Access Controls — Only Good If They Work

In his insightful paperPhil Venables (CISO Google Cloud) talks about the need to validate your access controls continuously.

API access controls are good only if they work correctly. Many data leaks are due to misconfigurations in the access control model for APIs.

Take Control of CIAM with Levo’s API Security Assurance

Levo’s Continuous API Security Assurance, empowers modern development teams to proactively maintain a robust API security posture.

Levo’s agent-less/no-code instrumentation provides API observability throughout the API development lifecycle.

Levo’s API Observability answers the following questions:

  1. Who are my users?
  2. What are the role entitlements for these users?
  3. What specific API endpoints and JSON objects are being accessed via the role entitlements?
Which users, under what roles, access which APIs?

Levo continuously & automatically, validates the security posture of your APIs, throughout the software development lifecycle, and ensures a robust API Security posture.

Levo Continuously Validates API Security Posture in CI/CD

Levo’s Forever Free API Security Assurance

Signup for a forever free account, and start building secure and resilient APIs in minutes.



You can also contact us directly at
Copyright © 2022 Levo