The pressures of adapting to life during the pandemic accelerated the adoption of technology. Organizations that had been reluctant, or unable to implement digital workflows, have been forced to adopt online processes. In fact, industry analysts estimate five to ten years of technological adoption has taken place in the past year.
This accelerated digitization is being driven further by the consumerization of IT. Customers, partners, and employees, all informed by their own consumer experience, now have high expectations for digital business systems. They demand services that are easy to access, and which consolidate information from multiple sources to speed up processes.
From being able to rapidly sign up for services with existing credentials; via a Google account using OAUTH, or the business’ Identification and Access Manager (IAM), to being able to track deliveries in real-time, or pulling live pricing information for commodities into a system, it is now seen as essential that applications access, exchange, and process data from many systems.
To do this, organizations use Application Programming Interfaces (APIs) to seamlessly connect these diverse systems, internally and externally. APIs define and manage how an application can securely connect to another system, accessing that system, and request the processing of information.
Providing APIs to customers and partners can offer fresh business opportunities, and deepen existing commercial relationships. For example, if a manufacturer-provided APIs enabling product customization and current stock levels, that would make it simpler for a customer business to automate order placement from within their own systems, strengthening the relationship between the two companies.
Internally, APIs can accelerate the flow of data insights around a business, and speed up the development of innovative systems. However, as the number of interconnected services and devices expands, so does the number of protocols used by APIs to handle the different types of information exchanges, meaning complexity is growing.
APIs, whether third-party or internal, are a core part of modern systems.
- Almost all businesses suffer API-related security issues (opens in new tab)
The risk of poorly managed APIs
With core business functions relying on APIs, both internally and customer-facing, issues caused due to poor API management can be far-reaching. APIs need monitoring and managing like other critical IT systems to ensure governance, control, and reliability.
It is therefore essential that IT teams can identify the APIs the business depends on, understand the level of use of each API, manage the lifecycle of APIs, control access to each API, and be alerted to changes or failures in APIs that can degrade services.
Without understanding API usage, change management and development prioritization become error-prone, risking service degradation and poor customer experience. Having full knowledge of API use enables the discovery of resources that can accelerate development and improve information flow.
What’s more, failing to deliver effective access control for APIs increases the risk of data breaches, system compromises, and economic attacks which abuse APIs to increase IT resource utilization.
Such API security problems are common, as ITProPortal has reported previously, 91 percent of enterprise security employees polled said they had experienced API security issues. 48 percent of these being authentication vulnerabilities, and over half of issues (54 percent) in production systems.
There have been numerous high-profile examples. In late 2020, popular dating app Bumble was discovered to have an API vulnerability that allowed users to bypass paying for Bumble’s premium services, while also accessing other users’ sensitive information like religion, education, height and their distance away in miles.
Credit reference agency Experian was also recently discovered to have provided an unauthenticated API to a partner’s site which allowed the credit scores of millions of Americans to be accessed just by providing a name and address.
Facebook Workspace fell victim too. Facebook Workspace can be configured to allow employees to automatically be approved for sign up if they register using their work email address. However an API vulnerability could be manipulated to allow any email address to join a corporate Workspace. Clearly a significant risk as an attacker would then appear as an insider, making information theft and phishing far simpler.
In each case, the direct risk of loss of revenue was relatively low, few Bumble users would have the ability to exploit the vulnerability to get free premium services. However the risks posed by that of data loss are highly significant, with fines for data breaches under the EU’s General Data Protection Regulations (GDPR) being up to 4 percent of global revenue.
To understand and manage the risk of API security it is critical to maintaining a clear overview of all APIs in use, and how they are being consumed. Bringing APIs under active management, gaining fine-grained API access control, coupled with API usage data, provides a route not only to a more secure environment but also to better manage IT costs and potentially to monetize API access, to directly add business value.
For service reliability, development efficiency, information governance and security; effectively managing the API ecosystem is now central to competent IT governance in any internet and microservices enabled business environment.
But what does effective API management look like?
- Myth-busting APIs for business (opens in new tab)
Managing APIs effectively
Legacy enterprise approaches to API management commonly force development teams to rebuild APIs to meet the needs of the API management tools. They also come at a significant cost, with many penalizing successes by ramping up license costs as API usage increases.
The new generation of API management platforms delivers effortless control over the entire API ecosystem (no longer just REST and SOAP, but also streaming technologies such as Kafka), without tying the hands of developers.
Built as an open-source platform, Gravitee.io provides teams with a powerful and effortless route to taming the complexity of their APIs; from discovery and analysis of API consumption, through to securing access and the development and publication of new APIs.
These core functions are coupled with a dashboard overview, remote system management, with alerting capabilities that help ensure full visibility and high system availability.
Act now on APIs
Today APIs are a business-critical resource, and being able to identify, manage, and govern the APIs a business depends on is vital to keeping digital processes secure and in reliable service.
For any business not actively managing its APIs, it is now time to start.
For any business struggling with the complexity and constraints of legacy API management tools, it is time for a review.
Free, open-source, advanced API management platforms are available which offer an effortless route to bringing APIs into effective management – within days, not months.
At that price, who can afford the risks of not managing APIs effectively?
- Why API security cannot be ignored by businesses today (opens in new tab)
Rory Blundell, Chief Executive Officer, Gravitee.io (opens in new tab)