Caber Addresses the Three Failures of

DLP in API Security

It's Customer Data, But Whose?

Complying with GDPR, HIPAA, FINRA and other regulations' data access control requirements requires knowing whose data an API contains, where it comes from and where it's going to. First American Corp leaked 800 million customer documents because an API didn’t know it was giving customer ‘A’ a loan application PDF belonging to customer ‘B’. Atlassian, Uber, Peloton, Parler, and thousands of other applications are found with broken authorization or access control each year.

80 percent_edited.png

I'll Know It When I See It

Microservices copy data objects from storage systems, aggregating, rearranging, and reformatting them before sending their data on to other services. Excessive Data Exposure is #3 on OWASP's API Top Ten - so a service may be sending more than you think.  The data a service gets from another could be anything, and have come from anywhere.  When you don't know what you are looking for there's no rule or keyword search that will find it for you.

copy-shred.png

Discovering Data that's Supposed to be There

Across microservices it's as important tto know where data can go as knowing where it can't. The problem is services can’t copy the access policies and other metadata tied to those objects – security best-practices forbid broad access to such privileged information. Without the metadata, services have no idea what data they hold. APIs send data to unauthorized users because they can’t compute what policy should apply.  

map data.png
 

It's Time For A New Approach

Caber uses advanced sequencing algorithms to go beyond the capabilities of today's DLP and API security tools. Requiring only a gateway or proxy plug-in, Caber detects broken authorization by:

  • Connecting fragments of data in API request and response payloads to the objects they come from

  • Resolving the identity and authorization policy belonging to that data

  • Applying those policies at the point of access using the API caller's identity and request parameters.