APIs: The Backbone of the Modern Internet

Cameron D’Ambrosi [00:00:00] APIs are the backbone of the modern Internet, offering the agility, flexibility and scalability demanded by companies of all stages. Yet with this nearly unlimited capacity for interconnectivity comes risk. As CISOs struggle to ring fence their API inventory securely authenticate access requests and monitor for unusual activity. Stick around as we’re joined by Richard Bird for an exploration of the problem statement and how traceable can help. Welcome to State of Identity. I’m your host, Cameron Ambrosi. Joining me this week is Richard Bird, chief security officer at traceable I. Richard, welcome to state of identity.

Richard Bird [00:00:40] Great to be here. Always great to be able to hang out with you.

Cameron D’Ambrosi [00:00:44] Well, thank you so much for joining us. You know, I’ll give you a chance to to share a little bit of your background. But, you know, you’re a well known quantity, if you don’t mind me describing you as such, you know, across the digital identity space owing to some of your previous experience. And I’m really excited to have you on for this conversation because in many ways, I think, you know, your path through the digital identity space has really been an interesting leading indicator of where the space is headed. And I think what Traceable is doing in particular is a harbinger of, you know, where a lot of the the heat and light, you know, across the digital identity space is, is being generated specifically around this this notion of API security and and how you know, cyber threats are really evolving in this new identity centric landscape overall. So pause there to give you a chance to maybe just share a little bit about your personal journey through digital identity. And then let’s get into, you know, what you’re building it traceable.

Richard Bird [00:01:47] Yeah, absolutely. I’m actually looking very, very forward digging into that that point that you made about, you know, maybe being a leading indicator. When I was in the United States Army, they called the first guy that had to stand in the door and jump out of the airplane, the window. Me I’m sorry. I like to think that I’m the wind dummy for digital identity and cybersecurity because I’m too dumb to stay. Stay away from jumping out first. In fact, I somebody reminded me the other day that I did a Active Directory to my apartment, Novell Directory to Microsoft Active Directory program when I was a tech project manager, like somewhere like 99, 98. So even even in my early days when I wasn’t an identity, it seemed like I was an identity. But I spent 20 some odd years in the corporate world, came through two tracks, I.T. operations in banking. So middle office back office technologies made a shift into the early beginnings of centralized information security and banking when those services were being consolidated and brought out of kind of standalone, siloed Active Directory, you know, server environments and those types of things. And and then that kind of morphed into once again being the only guy not smart enough to say, No, I don’t want identity. I kept taking on bigger and bigger identity projects and ultimately led to the role that I’m most known for in the market on the corporate side, which was being the global head of identity for JPMorgan Chase’s consumer businesses before I went and became a CEO. And then after 20 some odd years of doing that, I decided that I was really tired of trying to fix the problem. One at a time, one company at a time, one department, one organization, one function at a time, and made a decision to make a transition which is not common for someone with this many years in corporate into the solution side joined Ping Identity had a great time working with ping identity and the founder and the chief operating officer over the course of a couple of years. And then you get you know, you get anxious to go try and solve other problems. So, you know, I kept an eye on what was going on. And API security was very early days, you know, four or five years ago. But then as I kept watching and kept interacting with companies in the space, I realized that there are massive changes coming that we’ll talk about, obviously in the course of the conversation that have huge implications not just for cybersecurity, but specifically for identity. And I saw an opportunity to, you know, be ahead of that curve with an incredible pair of founders that traceable and and see if we can, let’s say, solve problems before they actually manifest as catastrophes. So you’re so open that were able to move fast enough.

Cameron D’Ambrosi [00:04:51] I love that. So, you know, jumping into. Traceable. And maybe I can take a stab at setting the stage here. But it really seems like the API security world is kind of facing some of the fundamental shifts that we’re seeing in terms of the consumer side of identity and the transition to Passwordless. Right. Whether it’s APIs that have no security on them at all or APIs that are relying on, you know, a rudimentary security key, which is basically, you know, the equivalent of username and password. It seems like there have been an increasing drumbeat of API related data breaches from some of the world’s largest organizations. You know, T-Mobile most recently shout out to T-Mobile. I believe that’s the eighth time I’ve been breached as a customer. And, you know, shame on me, I suppose, for for sticking around and not leaving. But, you know, why are we seeing such an intense scrutiny on APIs? Is it is it just a matter of the fact that we’ve seen the IT threat landscape evolve to the point where this is now the the low tide point and that’s where threat actors are finding the vulnerabilities?

Richard Bird [00:06:07] Well, in order to answer that question, we need to unpack a few things. And those three things are really tied to technology, evolution and history. And this really gets missed in the conversation about APIs and API security. And by that I mean, you know, we’ve seen this continuous tension for more than two decades now across security architectures that are still rooted and founded in a diagram that was printed in 1983, the U.S. seven layer model and the OSA seven layer model, whether people want to admit it or not, is still the predominant form of security architecture globally through every company, through every organization. And it has, you know, obviously evolved from a framework standpoint into defense in depth, secure from the start, zero trust. But but ultimately, you know, all of those security frameworks were born in the data center. Now we’re going to talk about that very much. We don’t talk about the reality that all of these security frameworks that we’re aligned to and then ultimately the point solutions that kind of get assembled to create Band-Aids over, you know, issues that arise. You mentioned passwords. This was a great example of a Band-Aid, right? We’re still you know, we still are rooted in accounts and password. We still are leveraging authentication factors. These are models and methods that have existed for decades. We’ve really changed how we do anything. We’re just applying a next layer of duct tape to try and address these these issues. And in the meantime, you know where these security frameworks are born and bred in data center. We have evolved substantially into the non data center world, right? Or at least IWC has, and Google’s and Microsoft’s data centers and not ours. That relates to the cloud. And this has been a successive iteration of virtualization. So the reason why I had to unpack all that to, you know, address why API security is now this massive exploit surface or attack surface is because if we look over the last 30 or 40 years of technology development, the weakest link in security has always been the application layer. I will I will get into the old school machine here for folks that have been around a long time. If you are like me, you finished are back in your environment, you know, 12, 15 years ago, and you immediately were like, we’re going to go to fine grained access control and fine grained access controls depending upon the authorization layer and the ability to manipulate access within the application itself. And we went to application developers over and over again and said, We need you to build this fine grained matrix. And the application developers would say, you either have access to my application or you don’t. There is no fine grained and I am not stopping my development to put all of this rich capability for access control to make your life easier because I’ve got business obligations to me take all of that that I’ve just shared and roll that into the reality that what we see in the API world today is the penultimate, if not ultimate manifestation of virtualization, which is the transaction layer is now the application layer. The transaction layer is now that OCI layer seven, the outer ring, right? None of the defenses, none of the infrastructure, none of the supporting security frameworks were ever conditioned to address this application layer. So we have created a situation where we have, you know, put a nuclear engine into the capability for people to transact, extract business value, all the good stuff that comes from the application and data layer. And we did it in a neighborhood that has been historically horrible at security. And now as we’re trying to once again ten years post the rise of the API economy, a new where once again trying to back that security onto you know ten years worth of transaction layer layer seven development. We are way, way, way behind. And now we see the possibility to take down companies just by taking down their digital interaction channels through DDR type attacks using APIs. Or to steal 70, 40, 80 million accounts. Medibank, T-Mobile, Optus, like the list is is accelerating. I am seeing massive breaches happen more frequently and at a speed that I have never seen in my working career of nearly 35 years. And yet I spent a lot of time talking with people that believe that API security is not a problem. So a very lengthy way to get there. But you have to set that table because if we don’t appreciate the fact that APIs are really a next tier of virtualization that is unleashing both the power and the catastrophic consequences of the application layer, then we really can’t understand what API security does. And for the first time, we we are faced with a situation where we have to acknowledge that patterns and solutions of the past are not going to fix the problems of the future in this API space.

Cameron D’Ambrosi [00:12:07] That was spectacular. Thank you. I mean, certainly your depth of knowledge is is more advanced than mine in terms of understanding. You know, the why. I guess transitioning a bit more practically into the how is it safe to say. You know, let me let me try and sum up. You know, I think the value proposition that Tracfone was is giving and and then maybe you can can correct me and and add some more context. But at its simplest level, my layman’s understanding is the platform can help you understand, you know, what’s, you know, API sprawl for lack of a better word like inventory and identify all the APIs that you you know about maybe some that you don’t know about that you felt were deprecated or orphaned that are still active. That could be a threat vector. And then beyond that, help secure those with, you know, zero trust. So moving beyond kind of traditional API keys, which I think are an inherent vulnerability based on all the reasons why passwords are bad, that I think our audience should be well familiar with that well-trodden landscape at this point. And then finally, you know, ongoing and active monitoring such that, you know, to go law and order and rip an example from the headlines, T-Mobile probably should have realized that whatever API was being used to siphon off millions of customer records was seeing a very high set of volume that would detect an anomaly. And if they had a platform like this, hopefully it wouldn’t have been exposed and vulnerable in the first place. But even if it were, someone would notice right quick that all of a sudden, you know, gigabytes of data are flowing out of this API and we should cut that off immediately.

Richard Bird [00:13:52] Yeah. Yeah. You know, the the the air security space is intellectually challenging. Fascinating. I’m just I keep you know, I love the fact that I’m learning every day. I’m also terrified about what I’m learning every day. Oh, so when we look at when we look at these patterns, first of all, these patterns are not unfamiliar to us, right? If we think back to the original days of the data center we had initially we had routers, right? And those routers were just simply directing traffic. And then we realized that there was such a thing as bad traffic and good traffic then uproots firewalls. Right. And then firewalls got cumbersome as we put thousands upon thousands of rules. Like again, I’m old enough to remember the days when you’d walk in to do a security assessment or an audit. It asked the folks that were running the firewalls how many firewall rules do you have? And then we go, We have no idea. Well, how many of them are you know, how many of them are old? How many of them are obsolete? How many of them need to be deleted? These were questions that that rose up in in our own understandings about these weaknesses and risks that we weren’t managing, monitoring, securing all those good things. Right. And so, you know, entire industries arose to address those problems. The the application layer is is. Is the first place where all of the characteristics of all of the separate disciplines in all of the security controlled domains now manifest in one place. Right. You know, I mentioned this idea of, you know, de da da da attack going after an application. Those attacks used to go against networks. Right. You were trying to bring down the entire network of an organization, thereby like encasing it in its own security measures, where it sealed itself up and made it impossible for that company to do business. The idea that, you know, if somebody would have said, you know, a decade ago, that’s going to move to the application layer, everyone looked at you like you were crazy. Right. But here we are. It’s this is the place that we’re in, right? A publicly exposed API endpoint, like you mentioned, or T-Mobile or Optus or any of the others. You should be able to clearly see rises in volumetric traffic and abuses of those APIs. But you can’t if you haven’t designed your systems and your security and your architectures to do so. Right. So with API security, the the thing that’s interesting here is, is that I constantly have conversations with people who say I don’t have an API security problem because I have a website and I have a gateway for using an apogee and you’re using a, you know, MuleSoft or whatever. Those gateway serve a purpose that purposes a router. They move traffic, they move APIs, UAVs are able to control kind of the blocking and allowing level, just like firewalls were. They’re not intelligent relative to the crafting of low and slow threats, the changes of APIs over time for nefarious purposes, the ability for APIs to be capitalized on in ways that are allowing, you know, some of the things that just came up about Toyota and Mercedes and BMW, allowing people to use APIs that were built to facilitate communications inside of a vehicle to get back to core assets within those companies. These are scenarios that none of us either a ever thought of or B thought were possible. Now, when we think about the application of technologies from an API security standpoint like traceable, we have to have full visibility, which means discovery and cataloging of every known API. We have to be able to do that across every type of deployment model, whether that be multi-cloud or on premises where there are still hosted systems out there, there’s still, you know, still party third party solutions where critical solutions or products are being serviced and are driven by those third parties who are also using APIs. So the propagation of APIs without the security guardrails means that you have to be able to see what your risks are. You have to be able to define what those risks are at the core code level for APIs, which is great because APIs are always actually designed for a specific purpose. And once they start doing something that they weren’t designed for, that’s when you know that you have a problem. So that is one characteristic. It gives us a fighting chance. But when we think about the volumes, when we think about companies that are actually transacting using billions of API calls in a month, right. Or tens of thousands of API calls across their entire digital estate, the scale of this is what is really, really challenging. How do you get your arms around all of that? Cataloging inventory, analytics. And this is where there’s that bit of a shift. We’re really taking the lessons learned in application analytics and threat analytics these days and using that to be able to divine again with the function of these APIs is supposed to be and what it is that they’re doing, and then also being able to trace those activities, both good and bad, back to source through the transaction all the way to the end point. It’s, you know, it’s a nascent industry, but it’s built on the foundations of a lot of key components of security controls. Top three or probably three of the top of top ten API security weaknesses happen to sound very, very familiar to people in identity authorization, authentication and broken object level authorization, which both was always kind of fascinating to me because Bhola basically is the return of fine grained IBAC. It is the capitalization on the business logic at the authorization level that is allowing bad things to happen. So, you know, I think it’s hopefully it’s a nice segway into how does identity relate to API security. It’s at least 30%. Of API security from a risk and threat standpoint. But for folks in the identity trades, this is new information and new knowledge for them because they’re so used to working with workforce and and customer access management spaces that this whole world of everything connected to everything through an identity layer is a is a big leap for a lot of people in the identity space.

Cameron D’Ambrosi [00:20:41] Yeah. So, I mean, that’s an excellent segway to your point around, you know, this intersectionality of the identity space and the fact that in some ways identity, you know, is the new end point, right? Like as we think about how cyber has evolved, you cannot assume that you can successfully ring fence, you know, based on on static rules. Right. Deployment of a laugh or other kind of rules based things, because whether it’s wired or all these other secular trends like the sprawl is is unmeasurable in many ways. So you need to get down to the identity layer. It’s not about, okay, do I recognize this device? It’s about, okay, well, who are you and what permissions should you have? So, you know, how do you see that trend impacting the API security space? And what is that intersectionality, especially as we think about, you know, moving beyond the API key kind of into a zero trust model for security?

Richard Bird [00:21:40] Yeah. The you know, it’s interesting the way that you ask that question is what really interests me because it makes me want to ask the question from a design standpoint, did we always just miss the point that the human factor is the actual end point? Because it is right? Everything that goes on within the digital world, you know, is happening in a way that there’s a terminus point to either a receiver of value or a customer or a human being. And and yet we’ve we’ve invalidated an identity and its role in security for years and years and years because we said things like data protection and perimeter protection and all that were more important then than the human factor. Now, the reason why I opine on that for just a second is because the other way that you ask that question, things like be wired, the power of a supercomputer in your hand with just a simple iPhone or Android, all of the different things that you have have been designed and built on the consumer side for one very specific purpose Make it easier, make it faster. All right. Which means that the security invocation has to happen in a place is so near and dear to my old heart from an operations standpoint, which is the other key security principle that nobody paid attention to until we reached this point in technology history, which is everything’s a transaction. Everything, right? The call for data is being done for a purpose to execute a transaction. So now when we think about this application of a zero trust overlay, we can start to think about ways where we can be successful in security by understanding that we have to apply, you know, high quality identity controls at the per transaction level, which means that if it’s easier for your customers to continuously have persistent access, you know, log in once and is still in your browser for 30 days, it means that you’re going to get hacked. Right. APIs are the thing that make the magic happen, particularly in the deep space when it comes to being able to take advantage of breaching or attacking this practice of persistent trust. Because I’m a consumer or I’m an employee. Who else would it be? I don’t want to make it difficult, which means that now we have to begin to inquire about the purpose of every packet, as John Kennedy’s bag likes to say, the purpose of every packet within every transaction as it relates to every actor or entity within the web space. And that might sound a little intimidating, but the reality is, is that we already place in time where compute is available to do that. We can do that, right? And API security has the capability traceable, has the capability to in-gear interrogate every single API call being executed on a transactional basis across the web to get access to resources and assets in a way that actually allows us to be able to pinpoint when somebody is accessing an asset, a resource that they shouldn’t be. That really at the heart of it is, is is is what zero trust is right. And and so I do think that API security this layer seven even though there’s been an absence of thinking and strategizing around zero trust at this virtualized new virtualized tier or the application layer, I do think that API security stands a substantial fighting chance in delivering zero trust results from a security standpoint in a in a tier where it absolutely matters the most. Right. And so, you know, again, all of this is just everything’s going so fast and like, I’m going to tell you like six months ago when I walked into traceable, if you would have told me that the world would have accelerated so quickly down the rabbit hole of bad things as it relates to API attacks and exploits, I would have probably just been stunned outa said No, there’s no way. But this this curve is is rapidly escalating and there is a bit of a fear that I have that I’ll share with you, which is, you know, if we kind of looked at 2020 or 2021, maybe you went to RSA and RSA every banner said zero trust, right? 2022 every banner said PASSWORDLESS. Even companies that weren’t, you know, in the business of any kind of identity, they were Passwordless right. I worry that 2023 or 2024 will be the year of API security, and we’re already seeing some bubbling up of that, which is, you know, everybody wants to be in the API security business. Now that’s driven by catastrophic events, that’s not driven by actual, you know, need demands, issues, concerns by the buyer in the equation. That’s being driven by FUD and it’s being driven by, you know, kind of these banner news headlines. And I think that I think it’s fair to say and you know, Kim, I know you have way more experience in this, and I do, which is I think it’s fair to say that this this game of buzzword bingo doesn’t do a lot to actually move the needle on good cybersecurity outcomes may move the needle on generating a whole lot of revenue dollars. But you know, standing around and talking about zero trust when, you know, new reports are clearly showing that 10% of companies have a plan for it and 90% still don’t know what to do, you know, or standing around talking about defense in depth. And then a company gets popped, you know, using a VPN hack, which clearly shows that their defense in depth was, you know, horrible, right? That they talked about it, but they actually didn’t implement it. This whole kind of buzzword hype cycle space creates this energy where everybody talks about it, but nobody’s do anything about it. And. And talking about him doing anything, doing it are two different things. And I think that there’s not a margin of tolerance in APIs for people to get away with that. I think that what we’re seeing in the last several months is clearly showing that the catastrophic consequences of delaying any kind of movement on this is is going to result in a tremendous amount of pain in the market. Just real quick, I’m seeing news stories about Medibank down in Australia. There’s a suggestion the government is going to demand that they pay every victim 20,000 new Australian U.S. dollars or Australian dollars, rather, $20,000 across several tens of thousands of people. The economic consequences of this are going to be substantial universally. And, you know, it’s just one of those classic times you can get in, you can get on it before it becomes a real problem where you can do something about it now and get ahead of it.

Cameron D’Ambrosi [00:29:21] I love that. So we’re coming up on time here, but there was a couple of things I want to hit on. You talked about some of those buzzwords that we’ve seen in 2021 and then 2022. If you had to pick your your best guess for what we’re going to see is the emergent buzzword of of 2023 beyond API security as a whole, You know, where would you put your chips on the table?

Richard Bird [00:29:44] You know, I think I’m already seeing it this this this panic. We should all be panicked about quantum cracking. You know, this notion of quantum encryption know, when you look at where Quantum is really at. The problem that I have with it becoming so buzzworthy lately is that quantum, is it current state? And probably for the next decade, it’s not transactional, right? People that are worried about quantum encryption busting to Hefei are the same people that haven’t cleaned up their Active Directory for 20 years. We we this that the hyperfocus on quantum encryption or quantum encryption cracking is is is taking people’s attention away from good basic cybersecurity principles taking people’s attention away from what’s really the threat in the marketplace. And it’s not the people in on the bad side of the equation which typical Nate typically nation state with the kind of resources to be developing these massive quantum programs, commercialization of quantum, you know, encryption cracking is decades away. And and by then, you know, there’s the possibility something that people don’t pay attention to. 2015 Professor Kuznets in the Nordics had raised a an interesting question about dynamic encryption. Right. And in doing so, what he was saying was he was saying that the old databases just sound very similar to what we’ve just been talking about, the old data center models and paradigms for, you know, as and other forms of encryption that are still dependent upon key exchanges of key management and all of that. They saying with dynamic encryption is is that that’s going to go away and it’s going to become something different. And while Quantum can, you know, certainly crack the keys that we currently have today, that is no guarantee that those are going to be the keys or the methods that we’re going to have a decade from now. So I think that, you know, that in particular, Quantum is one of those things that I see as an unnecessary distraction. It’s fun to talk about it theoretically, but operationally it has absolutely no value, but it seems to be taking over more and more conversations for companies, you know, over and over again. I do think back to kind of the root of the question. I think the 2023 in 2024, you’re going to see a lot of players that are going to suggest that they are an API security and those players are going to be very familiar. You’re going to see the Ciscos of the world, the Palo Alto World, the 5G, the world of crowd strikes. Why shade those names specifically is is they all represent different pieces of that old security framework and structure that we were talking about earlier, which is I focus on the end point, I focus on DLP, I focus on data protection, I focus on network traffic. Right. And I’ll go back to what I said originally about API security, which is the application layer from a virtualization standpoint is the first place where all of those security controls and the threats that are associated with them can manifest and focus on one layer, which is the application layer. So I doubt that. I doubt, just like with some of the other buzzwords that we talked about, that a lot of these players will have holistic answers for API security in the future. I think that the reality is, is that the holistic viewpoint on API security is going to come from API security players like traceable.

Cameron D’Ambrosi [00:33:35] I love it. Well, Richard, thank you so much for joining us to bring us on home. Shameless plug. If folks listening are interested in getting in touch with you, learning more about traceable, what’s the best place for them to do those things?

Richard Bird [00:33:50] Absolutely. I really recommend people take it. Take a run at traceable dot. I certainly go to the web site a tremendous amount of collateral material and information there. White papers, broadcast podcasts, webinars, kind of the whole nine. I’m certainly for a conversation for folks that are in the beginning stages of their strategic thinking about how they’re going to attack the API security problem within their organizations, agencies, governments. My job is to be a resource to the market. So. Hashtag the guy with the bow tie. Richard Byrd on LinkedIn. Send me an email directly. Richard. It traceable that I or RB at Richard Broadcom. You can’t turn over a rock and not find me somewhere. And I look forward to being able to help people because I do think that, you know, right now what people are hungry for is help, but not help in the form of sell me and other solution, help in terms of help me figure out how to dimension the problem that I’m facing and how to begin to structure a program or a strategy or approach to start to resolve or mediate those issues.

Cameron D’Ambrosi [00:34:58] I love it. Well, I trust our audience to act appropriately with Richard’s email address. So if I if I hear from him that anyone is is acting in a rude way over email, you’ll hear sternly from me. But, Richard, thank you so much for your time. Hopefully this discussion was illuminating for some folks and looking forward to checking in with you sometime soon to see how some of these predictions pan out.

Richard Bird [00:35:25] Absolutely. I look forward to it as well.