January 2021 saw the Monetary Authority of Singapore (MAS) make specific reference to security around API as part of the latest Technology Risk Management Guidelines (the TRM 2021). This release reflects the fact that the MAS, while serving as the country’s central bank and financial regulator, also has a mandate to work with the financial industry to ensure that the financial sector is maintaining high standards of security as it embraces the latest technology trends.
MAS has specifically emphasized security around APIs, no doubt due to the rapid increase in their adoption — especially third-party APIs — among many Financial Institutions in Singapore.
APIs: the de-facto building blocks of innovation
The Singapore government has encouraged the digitalization of businesses for several years, and this has been acclerated by the Covid-19 pandemic. There is a strong push for Financial Institutions to shift away from traditional offerings that rely on in-person service delivery.
Indeed, a Postman survey found that 84.5% of oragnisations believe that Application Programming Interfaces (APIs) are required for business transformation.[1] It’s not hard to see why: countless organisations already rely heavily on APIs as a low-cost, fast and efficient way to adapt to changes in user demand and requirements.
APIs provide organisations the technical capability to seamlessly partner and share resources with each other, taking advantage of a common pool of resources. Among their many benefits, APIs help businesses increase client reach and market share. Thus, APIs have become the building blocks that allow organisations to innovate and remain competitive — even in a pandemic.
Given projections for the continued adoption of APIs, and their importance in helping financial institutions stay competitive and relevant, it is no surprise that MAS has introduced new advice on securing APIs in the TRM 2021 to ensure that financial institutions, being part of the country’s critical infrastructure, are secured from threats, and consumers are protected. [2]
The challenge of monitoring APIs and detecting suspicious activity
In the TRM 2021, MAS has specifically called out the need for detective measures for API security. This includes real-time monitoring of API traffic, and an alert capability when suspicious activities are detected. The technology should also provide visibility and insight into the usage and performance of APIs within the financial institution.
Some of the larger financial institutions that the MAS regulates already use APIs, often to handle information that is of high value and interest to attackers and criminals. Yet a major challenge that many enterprises face is the sheer volume and frequency of API calls, which make manual monitoring of API traffic a struggle even with a decent team of fraud or threat analysts. Consequently, organisations lack visibility into their APIs and traffic, which implies a lack understanding of the API attack surface.
Existing monitoring and security solutions have not kept up with the proliferation of API traffic: they are incapable of defending against sophisticated attackers, who increasingly use APIs as an attack vector in their multi-step kill chain. Many organisations, financial institutions included, rely predominantly on perimeter defences such as web-application firewalls (WAFs), API gateways and Content Delivery Networks (CDNs) to defend against known attacks and DDoS, and to block unauthenticated and unauthorized access.[3] Yet these solutions, while able to protect against a majority of attackers, will not deter a sophisticated attacker deploying novel methods that leverage resources gathered through the dark web. Financial institutions such as banks are the most prominent target for these attackers, as they own critical information infrastructure and hold sensitive data relating to financial assets.
Thus it is no surprise that within the latest TRM guidelines, MAS has called for real-time monitoring of API calls for suspicious activity, in addition to other application security recommendations.
Defence-in-Depth for APIs
The criticality of APIs to financial institutions with online services is indisputable and a Defence-in-Depth approach for API security is essential to secure and reduce the risk of a breach. A Defence-in-Depth cybersecurity strategy calls for multiple layers of defence to delay attackers and avoid a single point of failure. By using multiple layers of API security through a mix of techniques and solutions, including, but not limited to: secure API coding; API gateways; security assessments; and finally real-time security monitoring to predict, prevent, detect attacks, the organisation has a better chance of containing an API attack.
MAS recognises and anticipates the need for organisations to focus on and dedicate resources to API security. The new API security guidelines are a great step in helping financial institutions in the region boost their existing API security controls and ensure that APIs, as part of critical technological assets, do not become a source of great pain.
[1] https://www.postman.com/download-state-of-api/ [2] https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf [3] https://www.aiculus.co/post/rethinking-privacy-in-tech-products
