Caber Addresses the Three Failures of
DLP in API Security
It's Customer Data, But Whose?
Complying with GDPR, HIPAA, FINRA and other regulations' data access control requirements requires knowing whose data an API contains, where it comes from and where it's going to. First American Corp leaked 800 million customer documents because an API didn’t know it was giving customer ‘A’ a loan application PDF belonging to customer ‘B’. Atlassian, Uber, Peloton, Parler, and thousands of other applications are found with broken authorization or access control each year.
I'll Know It When I See It
Microservices copy data objects from storage systems, aggregating, rearranging, and reformatting them before sending their data on to other services. Excessive Data Exposure is #3 on OWASP's API Top Ten - so a service may be sending more than you think. The data a service gets from another could be anything, and have come from anywhere. When you don't know what you are looking for there's no rule or keyword search that will find it for you.
Discovering Data that's Supposed to be There
Across microservices it's as important tto know where data can go as knowing where it can't. The problem is services can’t copy the access policies and other metadata tied to those objects – security best-practices forbid broad access to such privileged information. Without the metadata, services have no idea what data they hold. APIs send data to unauthorized users because they can’t compute what policy should apply.
It's Time For A New Approach
Caber uses advanced sequencing algorithms to go beyond the capabilities of today's DLP and API security tools. Requiring only a gateway or proxy plug-in, Caber detects broken authorization by:
Connecting fragments of data in API request and response payloads to the objects they come from
Resolving the identity and authorization policy belonging to that data
Applying those policies at the point of access using the API caller's identity and request parameters.