APIs are the hidden pipes of the internet but often lack proper security. Learn how Cloudflare helps companies discover and secure their APIs for the 2024 Olympics and beyond.
The Paris 2024 Summer Olympic Games gets underway on July 26 this year. Securing the IT architecture of the Olympic Games is no easy matter. It is complex, built on a cloud-native approach with several hundred interconnected applications. In terms of volume, billions of data items will be transiting via the websites and applications. All the more exposed to attackers. But what about applications?
More than half (57%) of Internet traffic is now made up of API requests. These APIs represent an attack surface that many organisations often overlook and neglect.
Companies’ first challenge is having a complete and accurate API inventory. Cloudflare has found that its customers significantly lack visibility over their public API exposure. Indeed, based on Machine Learning and heuristics, the integrated discovery tool identified an average of 30.7% of public APIs not referenced by organisations. Unlike other API reports in the industry, Cloudflare’s is not based on user surveys but on actual traffic data.
Coudflare’s API Discovery tool combines two approaches: identifying known API tokens with automatic machine learning analysis of all incoming HTTP traffic, enabling the detection of these missing APIs. This complete visibility is an integral part of the API Gateway product, which also helps to manage and secure Internet access points. These undetected ghost APIs represent a major risk. If APIs are the essential plumbing of the Internet, they can also become a prime target for attackers. They, therefore, need appropriate protection.
Indeed, suppose the process of documenting and inventorying APIs for the attention of security teams is not ensured. In that case, they become ghost APIs, functional in the production environment but unbeknownst to the company. This is where security issues begin to emerge.
Beyond inventory, securing APIs raises several challenges. Rate limiting, a common practice, is not always the most effective. In addition, APIs remain vulnerable to classic attacks such as SQL injection or DDoS attacks. However, one of the biggest risks comes from authentication and authorisation flaws: many APIs do not properly verify legitimate access to data, making them particularly vulnerable.
To guard against this, Cloudflare recommends four main measures: impose authentication on all public APIs, strictly limit throughput with elaborate rules, block abnormal volumes of sensitive data, and prevent malicious actors from ignoring valid API sequences. This amounts to adopting a positive security strategy, which only lets known, compliant traffic through.
A final observation: API traffic now follows the rhythm of human activity – periods of peak sales, major events, or vacations – due to the ever-increasing use of APIs by the general public. There’s no doubt that this will be particularly the case this Olympic year, whether it involves a spectator, tourist, journalist, or professional. The purely machine-to-machine view of APIs is no longer valid.
For optimum security, organisations must take a holistic view of protecting their Internet exposure against all threats, whatever the resources are exposed (API, website, user, infrastructure). Preserving visibility and control has never been more difficult. Rather than multiplying independent solutions, each securing one element or one threat, Cloudflare’s connectivity cloud provides a single protection against all threats linked to the Internet’s exposure of resources. API protection is just one case of exposure in an integrated protection chain. By way of example, Carrefour was able to consolidate six solutions on Cloudflare, optimising costs by 50% and improving incident resolution times by 75%.
2024 will be a special year for the application world: an increase in application complexity, with 73% of application managers saying that security requirements interfered with their productivity and capacity for innovation; amplification of risks linked to the rise of generative AI; growth in fraudulent attacks on API business logic; the need for reinforced governance with the entry into force of the first standards such as PCI DSS on API security. Against this backdrop, and in this Olympic year, combining API protection with protection of all Internet exposures appears to be an essential prerequisite for the applications of companies involved in the Olympic Games, whether in the strict sense as partners or the broader sense, such as players in the transport, tourism or hotel industries.