Andres Andreu

In the spirit of zero trust, implementing encryption and decryption capabilities into an API ecosystem should be considered standard practice. APIs are generally accessed remotely via a web protocol, such as HTTPS. Using any version of HTTPS, including TLS, is not enough for protection at depth. It is only effective for transport security or protecting the streams that carry your data. This technology does not protect the data itself.

A better protection is to use native data-level, or payload, protection via an orthogonal layer of encryption and decryption. This aims at protecting the data itself no matter what happens in transit, even a successful MITM attack. Moreover, it starts to push the API ecosystem toward a model where trust is based on the fact that cryptographic key exchanges have taken place between the two parties (e.g., zero trust) of a given request and response relationship (e.g., an API call gets made). Obviously, the cryptographic keys need to be protected on both sides of the relationship, but the use of this technology raises the bar such that communication is only accepted if specific cryptographic keys have been used on it. This mode of operation facilitates native data protection but also opens up the possibility for machine authentication via mutual TLS (mTLS), obviously using ...