A major financial institution processes loan applications sent by authorized mortgage brokers and banks using a Kafka-based pipeline. In this system, each bank originating a loan application has a dedicated Kafka topic. The applications might pass through several intermediate banks, each reading the application from one topic and updating it before writing to another. The institution employs Zookeeper ACLs to manage access, determining which banks can read or write to specific topics.
Caption for Kafka Topic Data Access Authorization
Issues have arisen where banks mistakenly write loan applications to incorrect topics, acting as if they were the original loan initiator rather than an intermediate handler. This leads to the final loan application being sent to the wrong bank. The authorization process, focusing only on the bank and topic name, overlooks the actual data content. The director of application security expressed frustration, noting a greater understanding of the banks accessing their APIs than the actual data shared.
By "tagging" the data from banks when they first write to a topic, Caber CA/CO tracks these unique data patterns in the loan documents, even as intermediate banks modify them. If a bank wrongly submits an application claiming to be the originator, Caber identifies this as a security risk. It then provides a detailed trail of the data's journey through the system. This enables the financial institution's security team to efficiently investigate and resolve such incidents.
Caption for Third-Party API Misuse
A consumer genomics company that provides DNA testing services takes HIPAA compliance very seriously, employing a robust technology stack to secure their APIs. This stack includes systems like Alation and Immuta, specifically used for classifying Personal Health Information (PHI) data and monitoring its access.
Caption for Continuous Compliance Monitoring
Despite having effective classification and access controls for PHI data at rest, recent compliance audits have highlighted a problem. PHI data transferred via internal APIs sometimes ends up in unauthorized areas. This issue stems from the fact that these systems were developed by various teams at different times, lacking a consistent method for tracking the classification or origin of the data in transit.
Caber CA/CO offers a solution to this challenge. It can trace the journey of data within their internal APIs back to its original sources. After identifying the source, Caber makes a custom API call to the company's Alation system to determine the data's classification. Then, it follows up with a second call to Immuta to verify the policy compliance. This approach ensures that the movement of PHI data within the company's internal systems adheres to strict privacy and compliance standards.
API access control issues top the OWASP Group's Top 10 list of vulnerabilities. First American Financial Corp. faced a hefty fine of $487,616 after inadvertently exposing 885 million records containing sensitive personal and financial information. This breach occurred due to an unsecured API, accessible to anyone using a web browser without needing authentication or authorization. The data remained exposed for an astounding 16 years until security expert Brian Krebs discovered the flaw.
Caption for Broken API Access Control
There's a distinct separation between APIs handling user requests and those processing data for these requests. While individual APIs are well-secured, the real challenge lies in safeguarding interactions between front-end and back-end APIs. In modern applications, these interactions are complex, unpredictable, and constantly evolving. Service meshes might control which APIs can interact, but they fall short in monitoring the data exchanged.
Caber CA/CO is designed to trace data as it moves between APIs and services, right down to the byte level. It can identify the source, ownership, and permissions of data, even when mixed or truncated. Had Caber CA/CO been available, it would have allowed First American Financial's security team to detect and address the data exposure issue promptly.