How to operationalize Zero Trust Security at the API layer
Traceable’s API Security Reference Architecture is aligned with the NIST Zero Trust Architecture, a publicly available, vendor-neutral framework widely adopted by government entities, as well as by many leading cybersecurity vendors.
Download the reference architecture to learn:
Traceable’s ZTAA provides security that continuously adjusts to the organization’s threat landscape. This is achieved through real-time, context-based authentication and authorization for API access (both users and machines). Traceable can stitch APIs, as well as the data and user context, via flexible data collection options. This ensures that adaptive trust is enforced for APIs at the edge, as well as for all internal services, and 3rd party APIs.
The result is the right access for the right users and entities, at the right time, thereby protecting the business and its sensitive customer data.
With Traceable, you can detect and classify the data that APIs are handling, to apply proper policies. These policies define which users and roles can access different data types, at what times, from what geolocations and from what client types. With dynamic data access policies, you can quickly and easily create policies with out-of-the-box templates or customize policies based on organization needs.
For example, data exfiltration policies enable you to control the incoming traffic to an API by automatically limiting the number of requests that the API can receive within a given period of time. After the limit is reached, the policy rejects all requests, thereby avoiding any additional load on the backend API. Access to APIs and sensitive data is therefore proactive and automatic, preventing potential data breaches.
The Data Protection and Data Access views, give a single pane of glass of user access to APIs. The notion of who is the user accessing the API, is being brought in from the user attribution and the authentication flow.
Once that happens, you can see in these views, the users from different domains. This is where you can see the patterns of access from different users, different domains, or different IP or location types, as well as the volumes of data being accessed.
This ultimately helps teams to understand which Zero Trust policies are potentially needed.
After looking at the data access patterns, you can begin implementing Zero Trust policies.
This includes granular user ID-based policy enforcement, with the ability to choose the access levels of specific domains and individual email addresses.
Choose numerous data sets to apply to data access policies, including GDPR, HIPAA and PCI DSS compliance, as well as AWS Auth, Azure Auth, GCP Auth, and personal information for different geolocations, such as North America and the European Union.
Limit or expand the scope by choosing specific endpoints, or applying to all endpoints in your environment.