Taking Control of Customer IAM

Harish Nataraj

May 15, 2022 · 3 min read

API Authorization Is Critical for API Security

Customer Identity and Access Management (CIAM) is how modern companies give their end users access to their digital properties, as well as how they govern, collect, analyze, and securely store data for those users.

Modern applications are built using APIs, and API Authorization is a core component of CIAM. This makes API Authorization a critical part of API Security!

Authorization as a Service — A Booming Market Category

Okta, Auth0, and others have built billion dollar business on making API authentication simple and secure for enterprises.

There is a new wave of companies doing the same for API Authorization. Authorization as a Service is a fast growing market category driven by a slew of OSS and commercial vendors including Zanzibar, Styra, Oso, Permit.io, Aserto, etc.

Implementing API Authorization is Hard

Insightful blogs from Carta, and Gusto describe the significant effort involved in implementing and maintaining a robust/secure API authorization solution.

Suboptimal API authorization results in data breaches from exploits such as Horizontal Privilege Escalation, and Vertical Privilege Escalation.

Visualization of API Access Behavior is Critical

Often API authorization is retrofitted into existing applications, making visualization of authorization behavior a necessity.

Carta and Gusto describe how visibility of API access patterns was critical in implementing proper access controls.

“We were essentially going over our API with a fine-tooth comb. This often required picking apart each field in our API response, and determining whether or not we should expose it for a given permission. A lot of our work was actually auditing how these fields were used”

“This feature alone addressed most of the concerns around discoverability, with the ability to identify and inspect permissions previously added.”

Carta’s API Permissions Visualizer

Gusto’s API Access Audit

Testing API Access Controls is Developer Toil

When you have hundreds of APIs spread across dozens of distributed service teams, ensuring that your API permissions are solid, is undifferentiated heavy lifting.

“One question we asked when we tackled each part of the architecture was what could happen if someone forgot about permissions. If your engineering organization is as large as ours, this isn’t just likely to happen, it’s an inevitability.”

Flora JinGusto

API Access Controls — Only Good If They Work

In his insightful paper, Phil Venables (CISO Google Cloud) talks about the need to validate your access controls continuously.

API access controls are good only if they work correctly. Many data leaks are due to misconfigurations in the access control model for APIs.

Take Control of CIAM with Levo’s API Security Assurance

Levo’s Continuous API Security Assurance, empowers modern development teams to proactively maintain a robust API security posture.
Levo’s agent-less/no-code instrumentation provides API observability throughout the API development lifecycle.
Levo’s API Observability answers the following questions:
Who are my users?
What are the role entitlements for these users?
What specific API endpoints and JSON objects are being accessed via the role entitlements?

Which users, under what roles, access which APIs?

Levo continuously & automatically, validates the security posture of your APIs, throughout the software development lifecycle, and ensures a robust API Security posture.

Levo Continuously Validates API Security Posture in CI/CD

Levo’s Forever Free API Security Assurance

Signup for a forever free account, and start building secure and resilient APIs in minutes.

Best,

Harish