Security for APIs, or APIs for Security?
How many times have you driven away from your house wondering if you remembered to lock the door? Personally, I have turned my car around to check more than once, and my neighbors have gotten calls asking to check at least twice.
Our home is our prized asset. We need a door to allow friends and family to come in and out, but we also want to make sure that unwanted guests can’t enter. So we put a lock on the door — yet still we worry.
APIs as intelligent doors
APIs are like the doors to your enterprise assets. The purpose of the digital transformation most of today’s enterprises are undertaking is to have new use cases built around their most differentiated assets: their physical stores, content, and data.
Putting these assets on total lockdown does your enterprise no good. If your assets are in Fort Knox, what customer would actually go through the trouble of using them? What you want instead are intelligent doors (APIs) that open up the right assets for the right people, whether it’s the developers inside your company, trusted partners, or third developers building on your platform.
Because APIs are such a critical part of any digital strategy—and because a lack of API security would bring the digital revolution to a grinding halt—everyone using APIs puts a lot of emphasis on securing them. But how do you actually go about securing an API?
APIs as contracts
For this part of the discussion, it’s helpful to think about an API as a contract for accessing a particular door. Because an API is a contract, it is possible for the organization that offers the API to completely document and understand the interaction between the application that uses the API and the API itself. This contract-driven interaction model makes it possible for the organization that provides an API to add policies and security controls at every interaction.
An API team can therefore regulate which applications and end users are authorized to use an API and which parts of the API they are allowed to use. The team can also control what an authorized user can do, including limits on the number of API calls that can be made, or when they can be made. Finally, the team can follow the trail of API calls to understand exactly what authorized API users did, and what unauthorized attempts may have been made.
As a result, APIs, rather than presenting a new security risk, provide a well-documented and popular way for organizations to share access to data and services internally and with third parties, while also maintaining strict security controls.
APIs for programmatic access
Compared with the other ways enterprise data is shared—via a web site, file transfer, email, or even a printing press—a well-implemented API offers a far stronger set of security controls.
APIs are different because they are designed from the ground up to do only one thing, and that is to provide programmatic access to developers who code applications. Well-implemented APIs ensure that only authorized end users and applications can: access your enterprise assets; control the amount of API traffic that can be generated; ensure that API traffic does not contain malicious content; and even audit all traffic for later analysis and risk mitigation.
In other words, by creating intelligent doors, and by putting the right locks on them—and, over time, shutting off other, less secure existing windows and doggie doors—your enterprise assets become more secure.
If you are an enterprise going digital and you are concerned about the security of your assets, it’s time to consider an API-first approach to digital transformation.
Image:Arthur Shlain/The Noun Project