Skip to main content

Security for APIs, or APIs for security?

How many times have you driven away from your house wondering if you remembered to lock the door? Personally, I have turned my car around to check more than once, and my neighbours have had calls asking to check at least twice.

Our home is our prized asset. We need a door to allow friends and family to come in and out, but we also want to make sure that unwanted guests can’t enter. So we put a lock on the door - yet still we worry.

API: An intelligent door

APIs are like the doors to your enterprise assets. The purpose of the digital transformation that most of today’s enterprises are undertaking is to have new use-cases built around their most differentiated assets: their physical stores, content, data.

Putting these assets on total lockdown does your enterprise no good. If your assets are in Fort Knox, what customer would actually go through the trouble of using them? What you want instead are intelligent doors (APIs) that open up the right assets for the right people, whether it’s the developers inside your company, trusted partners, or third developers building on your platform.

Because APIs are such a critical part of any digital strategy - and because a lack of API security would bring the digital revolution to a grinding halt - everyone using APIs puts a lot of emphasis on securing them. But how do you actually go about securing an API?

Securing your APIs

For this part of the discussion, it’s helpful to think about an API as a contract for accessing a particular door. Because an API is a contract, it is possible for the organisation that offers the API to completely document and understand the interaction between the application that uses the API and the API itself. This contract-driven interaction model makes it possible for the organisation that provides an API to add policies and security controls at every interaction.

An API team can therefore regulate which applications and end users are authorised to use an API and which parts of the API they are allowed to use. The team can also control what an authorised user can do, including limits on the number of API calls that can be made, or when they can be made. Finally, the team can follow the trail of API calls to understand exactly what authorised API users did, and what unauthorised attempts may have been made.

As a result, APIs, rather than presenting a new security risk, provide a well-documented and popular way for organisations to share access to data and services with internally and with third parties, while also maintaining strict security controls.

Compared with the other ways of enterprise data is currently being shared - such as via website, file transfer, email, or even printing press - a well-implemented API offers a far stronger set of security controls.

APIs are different because they are designed from the ground up to do only one thing, and that is to provide programmatic access to developers who code applications. Well-implemented APIs ensure that only authorised end users and applications can access your enterprise assets; control the amount of API traffic that can be generated; ensure that API traffic does not contain malicious content; and they even audit all traffic for later analysis and risk mitigation.

In other words, by creating intelligent doors (APIs), and by putting the right locks on them - and, over time, shutting off other, less secure existing windows - your enterprise assets become more secure.

If you are an enterprise going digital and you are concerned about the security of your assets, it’s time to consider an API-first approach to digital transformation.

Anant Jhingran, CTO, Apigee