We’ve all been there: clicking around a website or app when suddenly we stumble across a screen full of data that makes us think, “I don’t think I’m supposed to be able to see this.”

In most cases, we’ll simply close the window and return to what we’re doing. If we’re feeling charitable, we might fire off an email or submit a support ticket outlining the vulnerability so the company in question can take the appropriate action. But what if that company is our own?

If it’s an internal product we’re dealing with, we may be able to roll up our sleeves and try to fix the problem ourselves. In cases like these, time is of the essence because, unfortunately, bad actors are increasingly looking to take advantage of this brand of vulnerability.

According to a 2024 CrowdStrike report, identity-based breaches account for 80% of cyberattacks. Elsewhere, Verizon has highlighted that more than one-third of data breaches involved internal actors. 73% of those breaches were due to “miscellaneous errors.”

Below, we’ll be looking at why proper identity access management is so crucial in the API space, as well as some of the consequences of poor identity control and authorization, and covering how to mitigate some of these risks moving forward.

The Rise and Rise of Identity and Access Management

Let’s start with a simple but important question: what is identity and access management (IAM)? IAM, occasionally just called identity management or IdM, refers to the technology framework an organization has in place to enable users to access appropriate data when needed.

In practice, that means creating and maintaining numerous digital identities for different users that grant access to the correct level of data. With the rise of remote work, which was accelerated by the coronavirus pandemic, identity and access management is more important than ever before.

Of course, enabling employees and other stakeholders to access the information they need from outside the office without compromising compliance and security presents a whole new set of problems. BYOD policies and remote access needs have expanded threat surfaces. It’s made monitoring and auditing data storage, as well as determining how credentials are managed, that much more difficult.

As a result of that increased complexity, some organizations are falling behind when it comes to their IAM policies. Research by Sailpoint indicates that as many as 70% of employees may obtain inappropriate access to sensitive data, even after leaving the organization.

What Are the Risks of Getting IAM Wrong?

The consequences of failing to invest adequately in IAM are severe. For example, this can lead to unauthorized access to sensitive data (leading to breaches), service disruption (due to users being locked out), non-compliance penalties, and the loss of customer trust as a result.

All of those risks are compounded in the API space, where Curity (disclosure: they’re longtime supporters of the Nordic APIs community) suggests that as many as 1 in 5 APIs may be unsecured. “Without a connection between IAM and APIs,” their website states, “your APIs cannot make correct access decisions.”

In 2024, a typical enterprise’s backend is likely to be complex and rely on multiple APIs. That’s particularly true for industries like banking, fintech, insurance, and healthcare. They may use various methods of access control, lacking robust identity management or authorization processes.

These organizations may also require a different identity server to complement API gateways or API management tools. All of this is to say that IAM within organizations is often, at best, inconsistent and, at worst, something that poses significant compliance and security risks.

One solution is the concept of a common identity platform, leveraging OAuth and OpenID Connect standards to provide a flexible, scalable, and secure IAM solution for developers, customers, suppliers, and other stakeholders without compromising on usability. More generally, we’ve seen a shift away from on-premise solutions (such as secure office networks) towards cloud-based IAM solutions and other tools designed for remote or hybrid environments.

The Future of Identity Access Management

For now, usernames and passwords continue to be the status quo for authentication. But for how much longer? Many organizations are already beefing up their frameworks with methods like one-time passwords (OTP) and multi-factor authentication, such as through SMS or authenticator apps.

The popularity of passwordless authentication methods — fingerprints, facial recognition, hardware keys — continues to grow, their simplicity making them a favorite with end users. In the API space, OAuth’s access tokens can accomplish many of the same things as passwordless.

Unfortunately, like a game of Whack-A-Mole, fresh vulnerabilities and security risks arise in tandem with these new approaches. In 2023, for example, Salt Labs wrote extensively about the identification (and the resolution) of a significant OAuth vulnerability.

As a result, many organizations are moving towards the zero trust model, which adopts continuous authentication, least privilege, and encryption, even for inside users. We should expect to see further deployment of AI for things like real-time threat identification and the reporting of unusual user behavior.

For APIs, it often comes back to OAuth and API keys. But many of the best practices from zero trust apply here. Least privilege and robust authentication mechanisms, along with granular access control and JWTs, will continue to be relevant for the foreseeable future.

One thing’s for sure: as identity and access management continues to evolve, so will the methods employed by hackers and other bad actors. Organizations simply cannot afford to rest on their laurels, throw their hands up, and say, “Oh well, IAM what I am…”