Taking Control of Customer IAM

Harish Nataraj

May 15, 2022 · 3 min read

‍

Identity & Access Management are critical for API Security

API Authorization Is Critical for API Security

Customer Identity and Access Management (CIAM) ishow modern companies give their end users access to their digital properties,as well as how they govern, collect, analyze, and securely store data for thoseusers.

Modern applications are built usingAPIs, and API Authorization is a core component of CIAM. This makes APIAuthorization a critical part of API Security!

Authorization as a Service — A Booming Market Category

Okta,Auth0,and others have built billion dollar business on making API authenticationsimple and secure for enterprises.

There is a new wave of companiesdoing the same for API Authorization. Authorization as a Serviceis a fast growing market category driven by a slew of OSS and commercialvendors including Zanzibar,Styra,Oso,Permit.io,Aserto, etc.

Implementing API Authorization is Hard

Insightful blogs from Carta, and Gusto describe the significant effort involved in implementing and maintaining a robust/secure API authorization solution.

Suboptimal API authorization results in data breaches from exploits such as Horizontal Privilege Escalation, and Vertical Privilege Escalation.

‍

Visualization of API Access Behavior is Critical

Often API authorization is retrofitted into existing applications, making visualization of authorization behavior a necessity.

Carta and Gusto describe how visibility of API access patterns was critical in implementing proper access controls.

“We were essentially going over our API with a fine-tooth comb. This often required picking apart each field in our API response, and determining whether or not we should expose it for a given permission. A lot of our work was actually auditing how these fields were used”
Flora Jin

Gusto

“This feature alone addressed most of the concerns around discoverability, with the ability to identify and inspect permissions previously added.”
Aaron Tainter

Carta

‍

Carta’s API Permissions Visualizer

Gusto’s API Access Audit

Testing API Access Controls is Developer Toil

When you have hundreds of APIs spread across dozens of distributed service teams, ensuring that your API permissions are solid, is undifferentiated heavy lifting.

“One question we asked when we tackled each part of the architecture was what could happen if someone forgot about permissions. If your engineering organization is as large as ours, this isn’t just likely to happen, it’s an inevitability.”
Flora Jin

Gusto

‍

API Access Controls — Only Good If They Work

In his insightful paper, Phil Venables (CISO Google Cloud) talks about the need to validate your access controls continuously.

API access controls are good only if they work correctly. Many data leaks are due to misconfigurations in the access control model for APIs.

‍

Take Control of CIAM with Levo’s API Security Assurance

Levo’s Continuous API Security Assurance, empowers modern development teams to proactively maintain a robust API security posture.

Levo’s agent-less/no-code instrumentation provides API observability throughout the API development lifecycle.

Levo’s API Observability answers the following questions:

Who are my users?
What are the role entitlements for these users?
What specific API endpoints and JSON objects are being accessed via the role entitlements?

‍

Which users, under what roles, access which APIs?

‍

Levo continuously & automatically, validates the security posture of your APIs, throughout the software development lifecycle, and ensures a robust API Security posture.