# Google: With Cloud Comes APIs & Security Headaches
Source URL:     https://www.darkreading.com/cloud/google-cloud-apis-security-headaches
Date:           20221223T1512

Web application programming interfaces (APIs) are the glue that holds
together cloud applications and infrastructure, but these endpoints are
increasingly under attack, with half of companies acknowledging an API-
related security incident in the past 12 months.

According to a survey conducted by Google Cloud, the most troublesome
security problems affecting companies' use of APIs are security
misconfigurations, outdated APIs and components, and spam or abuse bots
— with 40% of companies suffering an incident due to misconfiguration
and a third coping with the latter two issues.

Two-thirds of companies (67%) found API-related security issues and
vulnerabilities during the testing phase, but most companies — greater
than 60% — discovered issues during the software development process,
during application deployment, and by using real-time monitoring,
according to the survey of more than 500 technology leaders.

Despite these issues, more than three-quarters (77%) have confidence
that they will catch issues, saying they have the required API tools and
solutions, says Vikas Anand, head of product for business application
platforms at Google Cloud.

"There's a perception of confidence with existing tooling that isn’t
matched by evidence," Anand says. "The landscape for security has
changed — with the dramatic growth in API volume, APIs are the new
battleground for application security."

The interest in Web APIs comes as companies have accelerated their
digital transformations over the past two years following the business
disruptions caused by the coronavirus pandemic. Nearly all (93%) of
companies surveyed by Google in a second study of 770 technology leaders
characterized their operations as based on "mostly cloud," up from 83%
two years ago.

In contrast, business decision-makers characterizing their operations as
"mostly on-premises" dropped by half to 7%, from 16%, in the same time
period.

![google API priorities for security][1] Source: Google Cloud

By [one estimate][2], API-related security incidents caused $12 billion
to $23 billion in losses since 2020. And the attack surface is getting
bigger: The average large company has [three times the number of APIs
— 15,600][3] — as a year ago.

## APIs: Key to Cloud Transformation

While 46% of organizations surveyed reserved their use of APIs to only
within their own organization, more than half (54%) allow partners,
customers, and other external developer use the APIs as a way to spur
third-party development, Google found.

"APIs are critical to application modernization and digital
transformation because, along with microservices, they enable rapid
delivery of new experiences to customers, while cutting the cost of
development and maintenance," Google Cloud stated in its _"_[The Digital
Crunch Time: 2022 State of APIs and Applications][4]" report.

Because APIs are critical to their digital transformation, companies
have wisely prioritized API security investments, with 60% aiming to
improve their ability to proactively identify security threats, and 57%
adopting more security automation and orchestration, according to Google
Cloud's second report, "[API Security: Latest Insights & Key
Trends][5]."

About half of companies also intend to expand their real-time monitoring
of API servers and using artificial intelligence and machine learning
(AI/ML) systems to better discover flaws and detect attacks.

"As organizations move from being reactionary to proactively addressing
these threats, we’ll see AI/ML models become more widely adopted
within security tooling," Anand says. "ML-based rules are the natural
evolution of this — not just automating, but continuously learning
from those experiences."

## API Maturity Brings Cloud Success

Unsurprisingly, companies that have had more experience with APIs have
also found more success with their transition to more cloud-native
operations.

About a third of companies (34%) classified themselves as having a
mature approach to APIs, pushing an API-first strategy across the
organizations and using an API management platform. Those companies also
had more success increasing efficiency, better collaboration, and
improved agility, compared with organizations with lower API maturity.

Google Cloud defined low-maturity organizations as those with siloed
APIs, no centralized management of APIs, and perhaps an API gateway for
security.

"Our study shows that mature API organizations are considerably ahead in
their digital transformation efforts compared to low-maturity API
organizations," according to the vendor. "Technology leaders already
understand the value that APIs bring."

For companies moving to API-based application infrastructure, API
security is considered the most significant component of an API program,
with 66% of companies considering it important, according to Google's
report. Other top concerns included API performance analytics and API
governance.

"API security ultimately needs to be part of the overall end-to-end
security strategy," Anand says. "Seamless integrations between all
security products make enhancing the overall security value from your
portfolio easier."

  [1]: https://eu-images.contentstack.com/v3/assets/blt66983808af36a8ef/blt21718244d86402e4/63a4e3a0877c0f16af363bdb/google-cloud-API-security.jpg?width=690&quality=80&format=webply&disable=upscale
  [2]: https://www.darkreading.com/application-security/api-security-losses-billions-complicated
  [3]: https://www.darkreading.com/application-security/api-attacks-soar-amid-the-growing-application-surface-area
  [4]: https://cloud.google.com/resources/state-of-apis-and-applications-report
  [5]: https://cloud.google.com/resources/api-security-research-report

You are viewing proxied material from tilde.team. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.