Securing an API Strategy
Application Programming Interfaces (APIs) are a crucial technology trend, which has given rise to new business models based on them. This so-called “API economy” is fast growing and has led to a change in the perspectives of many organizations, which are now making access to internal data available to third parties. This enables both partners and customers to develop value-added applications on top of this data. Of course, with the increased data opening and sharing, many have become concerned about the security risks related to APIs. This article examines the opportunities offered through the API economy, as well as the new security challenges posed.
What is the API Economy?
The API economy includes API developers; the businesses providing the APIs; the businesses hosting the APIs and application developers. Recent estimates have said that there are over 5,000 documented APIs on the web, with another 5,000 projected by the end of 2012. Within a mere four years, this could skyrocket to over 30,000 documented APIs. It won’t be too long before it’s impossible to have credible web applications that don’t include APIs that can be called by other applications.
“We could be on the verge of a new “programmable” age of cloud computing, where developers will be able to invoke data inside an application without needing to actually move data into it,” says Slashdot blogger Michael Vizard. “That approach may do more than save on storage and networking costs; it’s arguably only through the use of such APIs that cloud applications will be able to truly scale.”
A new platform
Industry observers now say that the organization is now the platform. APIs rely on data. Just take a look at shipping information APIs (shipping data), financial quote APIs (financial data), and geographic APIs (location data). A general rule around the API economy is that if an organization is willing to free its data, the applications will follow.
The new culture of the API economy has permeated organizations, even up to the board room level. Many CEOs expect their CIOs and CTOs to be able to present iPhone and Android app versions of their most recent service offerings. The mistake is that many CEOs end up asking “Why aren’t we building iPhone apps?” instead of asking “Why aren’t we allowing others to write iPhone apps on top of our data?”
What this means is that the organization should strive to become more of a transparent platform for presenting data to third parties, who will then develop mobile apps on top of this platform. Essentially, this requires the organization to become the platform.
Securing APIs
In this new API economy, enterprises are free to deliver business services through cloud, mobile and partner channels rapidly and on their own terms. This means that enterprises will need agile API server platforms to enable quick time-to-market, with new business services. The reality is that APIs handle important business transactions, often with a direct impact on customer interactions and the business’ ability to execute.
Inefficient or ineffective API security results in lost sales, missed opportunities and an inability to deliver. APIs necessarily require secure supporting infrastructure that ensures the APIs are being properly managed, delivered and secured.
Effective security is crucial, as organizations will need to track any suspicious usage of APIs to ensure that their APIs can be safely deployed, without placing any sensitive data at risk. Important business functions, including ordering, fulfillment and payment are conducted through APIs, so any attacks on these critical processes are detrimental.
It’s necessary to recognize that malicious attacks and exploits are becoming increasingly organized and complex, while the proliferation of API clients also subjects APIs to more and more “friendly fire,” due to poorly engineered or malfunctioning clients.
There are three simple practices that represent a good jumping off point for secure APIs:
- Use HTTPS if possible
- Don’t transmit any important data in plaintext
- Sanitize your inputs
Summary
This article takes a look at the proliferation of application programming interfaces (APIs), and the resultant “API economy.” The economy is booming, as it has been estimated that there will be over 30,000 documented APIs in the next four years. However, APIs necessitate an increased access to enterprises’ internal data, which has its own specific security risks. This article discusses the importance of effective security strategies in the new API economy and presents three simple practices that can help in the development of secure APIs.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Third party management recommendations (Domain 2)
- Resource sharing (Domain 8)
- Key management best practices and standards (Domain 11)
