W H I T E PA P E R
API Security
and Compliance
Implicit and explicit requirements
for data protection
�In this report
Introduction 3
Understanding API risks 4
Six examples of regulations and frameworks entailing API security 6
Meet compliance challenges with best-practices API protection 12
How Akamai API Security can streamline API compliance complexities 14
akamai.com | 2
�Introduction
Demonstrating compliance with data protection regulations has traditionally meant expending
large amounts of energy and resources to keep up with mostly familiar risks. But that’s
changing. Today’s attack surface is evolving fast to include threats that most enterprise
compliance programs aren’t fully accounting for. That’s partly because the regulatory
bodies themselves can’t always keep pace and be explicit about every facet of coverage
needed to prevent breaches.
This is the case with API protection. Every time a customer, partner, or vendor engages with
your business digitally, there’s an API behind the scenes facilitating a rapid exchange of
information that often includes sensitive data. Attackers now know that they can simplify
their strategy to steal that data by directly targeting APIs.
You may have already seen new language in regulations indicating the need to inventory,
assess, or secure APIs. But even when specific language about APIs isn’t included, the fact
that they have become a clear attack vector implies that their adequate protection is required.
The emergence of APIs as a major compliance issue is not surprising. Exposed or misconfigured
APIs are prevalent, easy to compromise, and often unprotected. And just one breached API
can result in millions of records being stolen. The numbers speak for themselves:
• Seventy-eight percent of organizations have experienced an API security incident.1
• Forty-four percent have been fined by regulators for API security incidents.2
How does this affect your compliance program? Regulators need to see that your organization
is taking measures to protect all access points to sensitive data. This means you need to
demonstrate your organization can:
• Account for every API, including elusive shadow APIs
• Uncover and fix any API vulnerabilities
• Apply controls tailor-made to prevent API-centric data breaches
This white paper explores the nature of growing API risks, highlights six examples of regulations
and frameworks that require API protections (either explicitly or implicitly), and offers advice
on how to meet compliance requirements through API security best practices.
1., 2. Akamai Technologies, “The API Security Disconnect,” 2023
akamai.com | 3
�Understanding API risks
APIs live at the core of your enterprise’s digital products, services, and cloud environments.
Their constant access to data makes them both a revenue driver and an operational risk.
The trouble is, most enterprises — even those with mature security programs — are not
prioritizing API-related threats to the degree they focus on other threats, such as phishing
or ransomware.
Some organizations rely on API gateways and web application firewalls (WAFs) for baseline
API protection, but these tools aren’t designed to provide the degree of visibility, real-time
protection, and continuous testing that specialized API security solutions can provide. Here’s
why these tools aren’t enough:
• API gateways and WAFs can only observe managed API traffic that is routed
through them.
• They can’t protect unmanaged APIs, which analysts predict will make up nearly
half of a typical enterprise’s API ecosystem by 2025.
• As a result, security teams are not fully prepared to protect the fastest-expanding
portion of their attack surface, knowing little about where APIs are routed, how they’re
configured, what kinds of sensitive data they exchange, and the risks they pose.
Protecting user information is a priority for regulators, and they levy severe fines for companies
that fail to reasonably secure their customers’ data from unauthorized access. Considering
that only 4 in 10 security professionals with full API inventories know which of their APIs
return sensitive data3 and that many API calls come from attackers testing for vulnerabilities,
data breaches via APIs will only increase — especially because API attacks are currently
quite easy to conduct.
3. Akamai Technologies, “The API Security Disconnect,” 2023
akamai.com | 4
