Rethinking API Security in the Microservices Era

APIs power India’s innovation, yet expose enterprises to systemic cyber risks demanding strong CISO oversight.

On a Monday morning in Mumbai’s bustling Santa Cruz corporate hub, Deepak Bhosale walks into the Asian Paints office carrying a rare mix of accomplishment and vigilance. As Associate Vice President of IT, he has steered the 80-year-old paint giant into a digital-first enterprise where technology underpins every service and customer interaction. Today, Asian Paints orchestrates a vast ecosystem that extends far beyond paint—spanning kitchens, bathrooms, and home improvement solutions—all seamlessly connected through a web of APIs that link partners, suppliers, and end-users.

This transformation is emblematic of India’s sweeping digital ambitions as the nation races towards a projected $1 trillion digital economy by 2025. Yet, beneath this undeniable progress lies a persistent challenge: APIs—the very arteries driving innovation—have also become vulnerable gateways for cyber attacks. “On one hand, businesses want fearless innovation; on the other, security cannot be compromised,” Bhosale reflects. His words capture the essence of a dilemma facing every CIO and CISO today—the daily balancing act between enabling rapid technological advances and safeguarding critical data assets.

APIs have quietly emerged as the highways of India’s digital economy. They shuttle data between mobile apps, cloud services, and connected devices, making platforms more agile and consumer experiences more seamless. But like all roads, the more they proliferate, the greater the opportunity for breakdowns, accidents, and targeted attacks. API security incidents in India have more than doubled in the past year, a stark indicator of the risks accompanying explosive growth. Most corporate decision makers remain unaware of the sheer number of APIs—many operating outside traditional security perimeters—through which their businesses now communicate.

Numbers from industry research paint a concerning picture: nearly 80% of API breaches in India stem from weak authentication, an avoidable flaw with potentially devastating financial, reputational, and regulatory repercussions. Akamai’s recent study provides further context—85% of Asia-Pacific businesses reported at least one API breach last year, with each incident costing over US $580,000 on average. Even more troubling is the perceptual gap: while most C-suite leaders believe they have full oversight of their API landscape, less than half of security teams share that confidence; only a small fraction feel capable of identifying APIs that actually expose sensitive data.

This disconnect magnifies enterprise exposure and underscores the urgent need for purpose-built API security, not patchwork solutions. Many organizations still rely on application support and monitoring tools for protection, but these are mere band-aids—not comprehensive fortifications. As the adoption of microservices, cloud, and edge architectures continues to accelerate, CISOs across India are awakening to a new reality: API security must be embedded from the outset, woven into the design and fabric of every digital project.

The Microservices Revolution

The shift from monolithic enterprise applications to microservices-based architectures has rewritten both business models and security strategies. Each microservice carries its own APIs, and when multiplied across internal, external, and third-party services, the result is an exponential surge in vulnerability points. This proliferation spawns shadow APIs that escape documentation and governance, zombie APIs left un-retired, and inconsistent security practices around authentication and encryption. Complicating matters, agile development cycles mean rapid, frequent updates—sometimes at the expense of robust security vetting.

Integration with third-party platforms further compounds risks, making security contingent on external standards that may not align with the enterprise’s own policies. The talent crunch in API security, along with cultural friction between developer speed and security discipline, and nascent governance frameworks, presents additional hurdles for CISOs. Thus, the challenge for security leaders encompasses not just technical threats but also strategic and operational dimensions that shape overall business resilience.

Why Traditional Security Falls Short

Traditional security tools were designed for simpler times, when applications sat behind walls with tightly controlled entry points. APIs have shattered that assumption, routing data across internal networks, third-party platforms, and customer applications in a continuous and often invisible flow. Traffic rarely passes through perimeter defenses such as firewalls, leaving gaps that criminals are quick to exploit.

Shadow and zombie APIs exemplify these risks. In rapidly evolving projects, developers may launch APIs without proper documentation, or neglect to shut down obsolete ones—creating endpoints that often lack basic authentication and monitoring. For example, a banking app upgrade might leave an old balance-check API running unnoticed, vulnerable to exploitation. Third-party dependencies extend risk beyond direct control; an insurer may secure its claims platform, but if an aggregator lacks encryption, data in transit can be intercepted. The fast pace and frequent updates of DevOps can also lead to authentication oversights, potentially exposing user information with just one missed detail.

The harsh lesson: Security methods built for stable environments falter in the API era, where boundaries are blurred, change is constant, and the attack surface is sprawling. APIs are now not just business enablers—they are potential open shortcuts for attackers, demanding a new breed of security strategy.

As Mayank Mehta, CISO at Magma General Insurance notes, “Most API security tools are not mature enough today—they don’t give a complete east-west, north-south view in a single pane. That’s why maintaining an inventory of active APIs and eliminating zombie APIs is critical.’”

The Hidden Scale of API Attacks

Unlike headline-grabbing malware outbreaks, most API breaches exploit subtle design flaws or simple misconfigurations. Attackers use compromised credentials or legitimate-looking requests to blend in with normal traffic, making detection difficult. These intrusions are often incremental; data is siphoned off slowly from services APIs, financial databases, or HR systems, all while business appears to function normally.

As Uday Deshpande, CISO at Larsen & Toubro, explains, “The biggest problem is weak authentication and authorization. That’s why we are adopting Zero Trust principles and AI/ML for anomaly detection in API traffic. Discipline is essential—the earlier you detect, the earlier you mitigate.”

To appreciate the scale of today’s API security challenge, consider the underlying digital shift. MuleSoft’s 2024 Connectivity Benchmark Report finds that the typical large enterprise now operates approximately 900 distinct applications, yet less than one-third are integrated—a coverage gap that enables hundreds of potential exposures. Every smartphone tap, online transaction, or video stream triggers countless API calls. Mobile banking is a vivid example: a balance check may activate APIs for fraud detection, credit review, payments, notifications, and regulatory reporting—all before giving the user feedback. AI-powered services further compound complexity, generating multi-layered API calls across disparate backend platforms.

Gartner’s research highlights that 74% of global organizations now use microservices, leaving monolithic platforms behind. This architectural leap creates a “city” of thousands of interconnected APIs, delivering agility at the cost of exponentially multiplying possible entry points for attackers.

India’s Sectoral Battleground for API Security

India’s rapid digital revolution, visible in sectors such as fintech, manufacturing, and healthcare, makes the risks ever more tangible. Consider the Unified Payments Interface (UPI). Each month, over 10 billion payments are completed via APIs linking banks, payment processors, fintech startups, and regulatory agencies. A single compromised API could impact millions of users, prompting RBI to enforce real-time API security standards and robust breach notification protocols.

Similarly, the fintech domain—now valued at $31 billion in 2024—depends almost entirely on APIs for daily operations. Platforms like Razorpay, Paytm, and PhonePe juggle millions of transactions, their interconnectivity creating an extensive attack surface. The Digital Personal Data Protection Act (DPDPA) 2023 mandates not just data privacy but explicit controls at the API layer, including granular consent management and data localization.

Manufacturing’s embrace of Industry 4.0, typified by Asian Paints’ integration of APIs across business and service platforms, opens new avenues for both growth and vulnerability. Healthcare leverages APIs to connect hospitals, diagnostics, and telemedicine, making patient data more accessible—and more exposed—than ever. The sector has witnessed a spike in targeted attacks, pushing providers to upgrade API monitoring and compliance practices.

Sectoral Impact of APIs in India

APIs have become the backbone of India’s digital economy, powering everything from payments and identity verification to e-commerce and health records. While they enable rapid innovation and scale, insecure APIs expose critical data and infrastructure to breaches, fraud, and systemic disruption, making their security a national priority.

• Banking and Financial Services: With UPI, IMPS, and Aadhaar-enabled payments, India has become the world’s most API-driven financial ecosystem. In 2023, CERT-In reported rising cases of API abuse in digital lending apps and unauthorized UPI requests. The RBI has tightened norms around authentication, and the Data Protection Act 2023 creates liability for financial data leakage. The 2024 Finastra incident globally underscores risks, but India’s own cases — such as the Paytm Payments Bank compliance issues — show how exposed APIs can disrupt services at scale.

• Manufacturing and Industrial IoT: Make in India and Industry 4.0 programs have accelerated IoT adoption, with APIs linking ERP systems, shop-floor robotics, and suppliers. Weak authentication remains common, and CERT-In advisories in 2022 flagged vulnerabilities in exposed OT APIs in energy and steel plants. Compromise of APIs here risks not only IP theft but operational sabotage — a live concern given geopolitical cyber tensions.

• Healthcare and Pharmaceuticals: The Ayushman Bharat Digital Mission (ABDM) relies heavily on health data APIs linking hospitals, insurers, and patients. Misconfigured APIs could expose electronic health records (EHRs), which are increasingly traded in underground markets. In 2022, a major Indian pathology lab leak was traced to insecure APIs exposing millions of patient reports. The Digital Information Security in Healthcare Act (DISHA, draft) and DPDP Act highlight the urgency of securing health APIs.

• Retail and E-Commerce: APIs drive checkout, delivery, inventory, and payment in India’s e-commerce and Q-commerce giants. Vulnerabilities have enabled price manipulation and loyalty-point theft. In 2021, a food delivery platform suffered API abuse that exposed user data, including addresses and order history. With ONDC (Open Network for Digital Commerce), secure APIs are even more critical, as thousands of small sellers connect to national-scale infrastructure.

• Telecommunications: Telcos like Jio, Airtel, and Vi expose APIs for billing, KYC, and partner services. SIM-swap fraud, often linked to weak API authorization, remains a rising threat. In 2023, TRAI raised concerns around APIs used in spam/OTP generation and mandated stricter testing of Distributed Ledger Technology (DLT)-based SMS APIs. Outages linked to misconfigured APIs in interconnect billing have shown systemic fragility.

• Energy and Utilities: Smart meters and EV charging stations are heavily API-dependent. Insecure APIs can enable energy theft or denial of service in distribution networks. Researchers have demonstrated how EV charging APIs could be manipulated to disrupt availability. With India’s Critical Information Infrastructure (CII) framework under NCIIPC, utilities are expected to harden API endpoints as a national security priority.

• Government and Public Services: India Stack — with Aadhaar, DigiLocker, and e-Sign APIs — is the most ambitious public digital infrastructure globally. But Aadhaar has repeatedly been in the news for leaks via unsecured APIs of third-party service providers. The new DPDP Act 2023 imposes penalties on entities failing to secure APIs while handling citizen data. Several state-level e-governance platforms have also suffered scraping and brute-force API attacks.

• Media and Entertainment: OTT platforms like Hotstar, SonyLIV, and JioCinema rely on APIs for streaming, subscriptions, and ad delivery. Credential stuffing on login APIs is a frequent risk, with breached accounts resold on darknet forums. In 2023, a gaming API exposure led to leaks of personal data from over 1.5 million Indian users. Regulatory focus is growing, with MeitY examining consumer protection in digital entertainment ecosystems.

• Transportation and Logistics: From IRCTC’s ticketing APIs to ride-hailing apps like Ola and Uber, APIs underpin India’s mobility sector. In 2022, a Bengaluru-based bus ticketing aggregator suffered a breach via poorly secured booking APIs, exposing travel details of millions. Logistics APIs, including those in e-commerce supply chains, are highly targeted — disruptions cascade into national commerce and trade flow. DPDP compliance will require securing these APIs against unauthorized access.

• Education and EdTech: Online platforms and government portals (Diksha, SWAYAM) depend on APIs for content delivery, exam hosting, and student data management. In 2021, researchers flagged exposed APIs in a leading Indian EdTech platform that allowed mass harvesting of student profiles. With NEP 2020 pushing digital learning, API security is central to protecting minors’ personal information and intellectual property.

Three Pillars of Next-Gen Security

Today, Indian CISOs recognize that security cannot be an afterthought. The most forward-looking organizations use three robust pillars to secure their APIs:

1. AI-Powered Behavioral Analysis: Emerging threats often hide in normal traffic. AI tools are now indispensable—learning typical patterns, flagging unexpected deviations, and continually updating to reflect business changes. “AI/ML tools are helping us detect anomalies where traditional methods throw too many false positives,” notes Deshpande.

2. Zero Trust by Design: Security must assume “trust nothing, verify everything.” Zero Trust models enforce authentication and least-privilege access for every session and transaction, starting with the most exposed APIs and expanding inward.

3. Security Across the API Lifecycle: APIs evolve constantly; security must start with design, continue through deployment, and include post-incident review. Shift-left approaches bake in prevention early, while ongoing monitoring and governance maintain effective resilience. “Security at both process and people level has become a huge focus in the last 5–6 years,” says Bhosale.

Turning Principles into Practice: A Roadmap

For CISOs, putting concepts into action means structuring security maturity with clear, phased steps:

• Phase 1: Discovery & Foundation (Months 1–3): Map every API, including undocumented and legacy endpoints, and institute baseline controls like encryption and rate limiting.
• Phase 2: Integration & Governance (Months 4–8): Deploy secure gateways, run security tests in CI/CD pipelines, enforce MFA and OAuth, and align with DPDPA governance.
• Phase 3: Advanced Capabilities (Months 9–18): Implement AI anomaly detection, refine incident response, and ensure continuous compliance with board-level visibility.

This approach enables organizations to quickly address exposures while building lasting resilience—crucial in a landscape where threats evolve as quickly as business models.

Delay Costs, Leadership Pays

The financial penalties for API-related outages and security breaches in India are staggering. A single hour of downtime or exposure can cost an enterprise up to ₹1 crore, while serious violations under the Digital Personal Data Protection Act (DPDPA) could attract fines as high as ₹250 crore. These aren’t just hypothetical figures; recent incidents across banking, manufacturing, and healthcare have led to swift regulatory scrutiny and significant business disruption, with ripple effects felt in market reputation and customer trust.

But the consequences extend far beyond the immediate monetary impact. Cyberattacks often trigger mandatory public disclosures, potentially eroding years of brand equity in just days. Regulatory investigations can stall critical business projects and delay product rollouts, directly impeding an organization’s ambition to innovate rapidly or scale up in a competitive market. Moreover, loss of sensitive customer data can see companies battling legal claims, litigation, and long-term trust deficits in their stakeholder communities.

On the flip side, organizations that decide to future-proof their API security infrastructure reap measurable rewards. Robust protection practices translate into 40% faster time-to-market, a 60% reduction in development delays, and demonstrably stronger customer relationships built on transparency and reliability. Such firms not only avoid costly breaches and penalties—they also become models for industry best practice, attracting business partnerships and regulatory goodwill vital for long-term growth and digital leadership.

What’s Next?

India’s APIs form the backbone of its digital ambitions. As Mayank Mehta cautions, “Till the time tools mature, every organization must maintain a holistic discovery of APIs, ensure encryption, and set rate-limiting as a baseline.” The paradox, as Bhosale notes, is clear: “On one hand, businesses want fearless innovation; on the other, security cannot be compromised.”

As Indian enterprises take the global stage, those that embed AI, Zero Trust, and rigorous lifecycle security into their API strategies will define tomorrow’s success. Those who hesitate risk becoming case studies in failure—cautionary tales cited in classrooms and conferences as reminders of what went wrong.

In conclusion, as India’s digital economy accelerates on the back of APIs, securing them is no longer a narrow technical task—it is a leadership mandate. Tools alone are not enough; enterprises need disciplined governance, continuous API lifecycle visibility, and a culture where developers and security teams work seamlessly together. From ecosystem risks to zombie APIs and shadow IT, the threats are real and rising. Yet, with strong hygiene, shift-left practices, and AI-enabled monitoring, CISOs can transform APIs from the weakest link into the resilient foundation of innovation.

The API Security Maturity Path

Assess where your enterprise sits today—and where regulators, customers, and partners expect you to be tomorrow.

Level 1 – Reactive: APIs monitored only after incidents. No central inventory.
Level 2 – Defined: API gateways deployed, partial inventory exists.
Level 3 – Integrated: APIs covered by DevSecOps testing and runtime controls.
Level 4 – Proactive: Continuous discovery, anomaly detection, governance board reporting.
Level 5 – Adaptive: AI-driven anomaly detection, automated remediation, API security embedded in enterprise risk DNA.

Emerging API Risks

What feels like a niche API concern today could be a headline risk tomorrow.

• AI Workloads: APIs serving AI/ML models could be poisoned or exploited.
  
• 5G & IoT: APIs will underpin billions of devices in critical infrastructure.
  
• API Marketplaces: Monetization platforms become new hunting grounds.
  
• Autonomous Attack Bots: APIs will face AI-driven adversaries; human monitoring won’t scale.