By Bashar Bashaireh, Managing Director & Head of Middle East and Türkiye at Cloudflare
The Paris 2024 Summer Olympic Games gets underway on July 26 this year and securing the IT architecture of the Olympic Games is no easy matter. It is complex, built on a cloud-native approach with several hundred interconnected applications. In terms of volume, billions of items of data will be transiting via the websites and applications. All the more exposed to attackers. But what about applications?
More than half (57%) of Internet traffic is now made up of API requests. These APIs represent an attack surface that is often overlooked and neglected by many organizations.
The first challenge for companies is to have a complete and accurate API inventory. Cloudflare has found that its customers have a significant lack of visibility over their public API exposure. Indeed, based on Machine Learning and heuristics, the integrated discovery tool identified an average of 30.7% of public APIs not referenced by organizations. Unlike other API reports in the industry, Cloudflare’s is not based on user surveys, but on actual traffic data.
Cloudflare’s API Discovery tool combines two approaches: the identification of known API tokens with automatic machine learning analysis of all incoming HTTP traffic, enabling the detection of these missing APIs. This complete visibility is an integral part of the API Gateway product, which also helps to manage and secure Internet access points. These undetected ghost APIs represent a major risk. If APIs are the essential plumbing of the Internet, they can also become a prime target for attackers. They therefore need appropriate protection.
Indeed, if the process of documenting and inventorying APIs for the attention of security teams is not ensured, they become ghost APIs, functional in the production environment, but unbeknownst to the company. This is where security issues begin to emerge.
Beyond inventory, securing APIs raises a number of challenges. Rate limiting, a common practice, is not always the most effective. In addition, APIs remain vulnerable to classic attacks such as SQL injection or DDoS attacks. But one of the biggest risks comes from authentication and authorization flaws: many APIs do not properly verify legitimate access to data, making them particularly vulnerable.
To guard against this, Cloudflare recommends 4 main measures: impose authentication on all public APIs; strictly limit throughput with elaborate rules; block abnormal volumes of sensitive data; prevent malicious actors from ignoring valid API sequences. This amounts to adopting a positive security strategy, which only lets known, compliant traffic through.
A final observation: API traffic now follows the rhythm of human activity – periods of peak sales, major events or vacations – due to the ever-increasing use of APIs by the general public. There’s no doubt that in this Olympic year, this will be particularly the case, whether it involves a spectator, tourist, journalist or professional. The purely machine-to-machine view of APIs is no longer valid.
For optimum security, organizations need to take a holistic view of the protection of their Internet exposure against all threats, whatever the resources exposed (API, website, user, infrastructure). Preserving visibility and control has never been more difficult. Rather than multiplying independent solutions each securing one element or one threat, Cloudflare’s connectivity cloud provides a single protection on all threats linked to the Internet exposure of resources. API protection being just one particular case of exposure dealt with in an integrated chain of protection. By way of example, Carrefour was able to consolidate 6 solutions on Cloudflare, optimizing costs by 50% and improving incident resolution times by 75%.
2024 will be a special year for the application world: an increase in application complexity, with 73% of application managers saying that security requirements interfered with their productivity and capacity for innovation; amplification of risks linked to the rise of generative AI; growth in fraudulent attacks on API business logic; the need for reinforced governance with the entry into force of the first standards such as PCI DSS on API security. Against this backdrop, and in this Olympic year, combining API protection with protection of all Internet exposures appears to be an essential prerequisite for the applications of companies involved in the Olympic Games, whether in the strict sense as partners, or in the broader sense, such as players in the transport, tourism or hotel industries.
