NIST released the Initial Public Draft (IPD) of Special Publication (SP) 800-228, Guidelines for API Protection for Cloud-Native Systems, on March 25, 2025. In this draft, they provide guidance to address the evolving security challenges in API implementation. What stands out most in the guidelines are three key areas: API Risk, Recommended Controls, and Implementation of API Protection.

APIs have become the fundamental building blocks of modern software applications, especially in cloud-native environments.

This blog explores the essential security risks and controls recommended by NIST and how they can be effectively implemented to protect your API infrastructure.

The Rising Importance of API Security in Cloud-Native Systems

Cloud-native systems are built on loosely coupled applications and microservices, often orchestrated through APIs. While this architecture offers unprecedented flexibility and scalability, it also introduces unique security risks. APIs serve as gateways, exposing functionality and sensitive data to both internal and external consumers. When inadequately secured, they become attractive entry points for attackers seeking to exploit vulnerabilities, exfiltrate data, or disrupt services.

API Risks by NIST

The NIST SP 800-228 IPD arrives at a critical moment, as recent years have witnessed a surge in API-related security incidents, from misconfigurations to inadequate authentication mechanisms. The recommendations below can be organized into three main security pillars: Discovery, Testing/remediation, and API posture management.

With public comments open until May 12, 2025, this framework provides comprehensive guidance for securing APIs throughout their lifecycle and is subject to change.

Key Security Controls Recommended by NIST

1. Strong Authentication and Authorization

NIST recommends implementing strong authentication mechanisms to ensure that only authorized users and applications can access your APIs. You should:

• Use OAuth 2.0, OpenID Connect, or properly validated API keys

• Enforce Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC)

• Rotate credentials regularly and validate tokens securely

• Require multi-factor authentication for sensitive operations

These practices help protect your systems from unauthorized access and credential-based attacks.

2. Secure API Communication

To protect data in transit, NIST advises securing API communication using encryption and transport safeguards. Specifically, you should:

• Enforce TLS (Transport Layer Security) to prevent eavesdropping

• Implement HTTPS-only policies for all API endpoints

• Disable weak or deprecated cryptographic algorithms

• Use certificate pinning to prevent man-in-the-middle attacks

These controls help maintain data confidentiality and integrity across distributed systems.

3. Input Validation and Data Sanitization

To reduce exposure to injection and scripting attacks, NIST encourages adopting strict input validation and sanitization measures. You should:

• Follow secure coding practices throughout the API development lifecycle

• Apply validation rules to all incoming data

• Use parameterized queries to avoid SQL injection

• Sanitize inputs before processing

• Validate request payloads against predefined schemas

These measures help prevent malicious data from reaching your backend systems.

4. Rate Limiting and Throttling

To guard against abuse, including denial-of-service (DoS) attacks, NIST suggests applying runtime protections such as:

• Implementing rate limiting by user, IP, or application ID

• Throttling requests to prevent system overload

• Using graduated response strategies for suspected abuse

• Returning generic error messages that don’t expose system details

These controls help maintain system availability and prevent performance degradation.

5. Comprehensive Logging and Monitoring

Effective monitoring helps detect suspicious activities and potential security breaches. The NIST guidelines emphasize you should:

• Log all API interactions, including authentication and data access

• Implement real-time monitoring and anomaly detection

• Use SIEM tools to aggregate and analyze logs

• Configure alerts for suspicious patterns or abnormal behavior

Logging and monitoring allow you to detect and respond to potential security incidents quickly.

6. Patch Management and API Versioning

Outdated APIs with unpatched vulnerabilities present significant security risks. NIST advises to:

• Maintain a proactive patch management strategy for all API components

• Implement secure API versioning to phase out deprecated endpoints

• Establish a process for communicating API changes to consumers

• Conduct regular vulnerability assessments of API implementations

This lifecycle approach ensures that APIs remain secure throughout their operational lifespan.

7. Secure API Gateway Implementation

API gateways serve as centralized control points for managing API traffic. NIST recommends to:

• Deploy API gateways as intermediaries between clients and backend services

• Centralize authentication, authorization, and rate-limiting policies in one platform

• Implement traffic filtering and inspection capabilities

• Use gateways to enforce consistent security controls across all APIs

These architectural controls add layers of protection while simplifying the implementation of security policies.

Implementation Options and Trade-Offs

One of the strengths of NIST SP 800-228 IPD is its recognition that one size doesn't fit all when it comes to API security. Analyzing the pros and cons of different implementation strategies and allowing organizations to tailor solutions to their specific needs. This flexibility enables security practitioners to balance security requirements with performance and cost considerations.

For enterprises adopting cloud-native architectures, the guidelines offer both basic and advanced controls, providing a scalable path to API security that accommodates varying levels of organizational maturity. Smaller organizations can start with fundamental protections and gradually implement more sophisticated measures as their capabilities grow.

Each implementation has its trade-offs, there is no one-size-fits-all with API security. The chart above shows the three options that today’s API Gateways provide.

There is value in any tool that helps organizations inventory and manage their APIs and traffic. However, the enforcement of any policies should be as close to the individual service instance as possible in order to achieve robust API security assurance. In the use case of data classification, these tools can be especially useful for building an initial inventory. - NIST

As API definitions are rolled out across the organization, data tagging should be implemented as part of the API schema, and the data flow policy should be enforced via explicit policy (e.g., with an authorization system). The runtime discovery of data flow is primarily important in protecting against exfiltration.

How Akto.io Can Help

To meet NIST’s API security requirements, Akto offers a comprehensive platform that addresses key API risks like unauthorized access, data exposure, and abuse. With real-time API discovery, continuous monitoring, and automated security testing, Akto helps detect and mitigate vulnerabilities early. Align with the new NIST guidelines, enabling efficient compliance while strengthening your overall API security posture against modern cyber threats.

Final thoughts

As cloud-native adoption continues to accelerate, API security remains a critical component of enterprise resilience. The NIST SP 800-228 IPD provides a comprehensive framework for identifying vulnerabilities, analyzing risks, and implementing effective controls across the API lifecycle.

By following these recommended security controls, organizations can mitigate risks, protect sensitive data, and ensure the reliability of their API infrastructure. Implementing these best practices strengthens security posture and fosters trust with users and stakeholders in an increasingly interconnected digital ecosystem.

Schedule a call with us today and see how Akto can help your organization meet security regulations.