Sergey Nivens - Fotolia

Manage Learn to apply best practices and optimize your operations.

In the API economy, API security moves to center stage

Integrating systems and data could pay off big. But publishing an API requires a lifetime commitment to monitoring its use.

How important are APIs? According to a recent Deloitte University Press report, we are in the midst of a revolution, with the number of public APIs doubling over the past 18 months, and more than 10,000 published to date. The API economy, in which companies such as Salesforce.com, Amazon Web Services and many others generate revenues by exposing APIs as business building blocks, has swept across a wide range of industries and is even penetrating government.

In essence, APIs are another way to do more with less -- extending application functionality and data in new and flexible ways to Internet-connected devices and services. This is particularly true of organizations where the Web is central -- Twitter, for example. But this revolution also contains the seeds of its own destruction in the form of APIs that are unsecured; potentially posing serious risks to information and enterprise security.

Windows to the application architecture, APIs document various object structures and reveal how data is handled. And that gives hackers a lot of clues they can use to launch attacks.

“In contrast to conventional Web apps, with layers of functionality such as presentation graphics between the outside world and the internal application, APIs are a much more direct connection,” says K. Scott Morrison, senior vice president and distinguished engineer at CA Technologies in Vancouver, British Columbia. 

APIs provide a great opportunity for organizations to begin to integrate systems and data. However, decision makers need to think hard about the impact of doing that and the unintended consequences. “The consequences can be anything from revealing information that shouldn’t be shared to simply leaving unwanted tracks on the Web,” Morrison says. APIs may end up exposing customer data with implications we don’t yet grasp; for example, the “ownership” of data describing someone’s location at a particular time or the setting on a thermostat is unclear. Enterprises want to have some control over that. API security is a place to start.

To ensure applications and data are as safe as possible, CIOs and development team leads need to consider what internal data to protect, and what functionality and data the organization is willing to expose right from the start, advises Merritt Maxim, senior analyst for security and risk at Forrester Research Inc., in Cambridge, Mass. Development of a public API should be accompanied by a risk assessment that considers all the systems that the API could affect, how a breach might impact the organization, and what controls and policies would be needed to prevent a breach or to minimize damage.

Gateways and API management

Organizations have begun to find ways to better manage APIs, and this is a foundation for improved security, according to Maxim. Some of this is accomplished through reformed practices or point products. But a big part of the response has been the adoption of API management platforms and gateways, which can be implemented either in hardware or software.

API management products not only often include a gateway function, they also serve up additional features such as authentication, analytics, hosting and billing options. The products are available from a wide range of vendors including 3scale, Akana (formerly SOA Software),Apigee, Axway, CA Technologies, IBM, Informatica, Intel Services, MuleSoft, Tibco Software and WSO2.

“The concept is that a gateway can serve a number of functions such as traffic monitoring, security and failover, which is important for APIs that get a lot of hits,” Maxim says. However, a gateway can also serve a secondary function, in terms of providing API monitoring, tracking access, and auditing it to provide input and alerts to a security team about how the APIs are being used.

Next Steps

Developer leverages high school English lesson in API design

This was last published in April 2015

Dig Deeper on Web application and API security best practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What criteria does your company follow to ensure API security?
Cancel
This article raises interesting questions, particular about privacy and API exposure.   I think every company should be careful what data they expose this way.  it should be just enough to provide value, without being a detriment to consumers.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close