Over the last few years, I’ve had credit cards replaced and received notifications from my insurance company and other entities that my data was compromised. I’m assuming most of you have as well.
And yet when it comes to API Management, many companies seem to ignore the hard lessons they’ve learned in their personal lives about the importance of security. It’s a bit surprising. All the consumer APIs we use are outside the firewall; otherwise we couldn’t use them. But companies either don’t use API management products at all, or choose API management products that aren’t the most secure. There have been several well-known API breaches, such as Moonpig or SnapChat, that can do major damage to a brand or lead to fines depending on the industry.
The truth is, people don’t know all the facts about API security. We know this in part because we spend a lot of time educating the market. Mark O’Neill, our VP of Innovation and one of the founders of our API management offering, spends a lot of time explaining API security, such as his talk on the OWASP top ten security hacks and beyond.
This fact is also known by some analysts. KuppingerCole, a respected analyst firm in the area of security, just released their Leadership Compass on API Security Management. Interestingly enough, only two leading vendors ended up being one of the top three leaders across all four ratings – the overall, market, product and innovation ratings – and also got strong positives across all the major capabilities. One was Axway. If you want to know more, and you should, I’d recommend you read the report. The other two vendors in the running for API security are not market-leading vendors and were cited as not having the market share or a complete API management solution. The other market leading vendors aren’t even rated. Why? In the words of the analyst, “several of the major vendors have decided not to participate in the rating for various reasons.” The real reasons why they actually didn’t participate may never be revealed; this is a security analyst after all. But in this case it seems pretty obvious.
But why care now? Is securing APIs really one of the most important problems a company should be solving today, and how should they solve it? The first question is easy to answer. It is important, because digital business is the future. And if you build your digital business on an insecure foundation, you may end up with more than huge fines and lawsuits. You may end up with a brand killing event, and a lack of trust in your APIs that will translate to a lack of actual usage, customers, and revenues.
The question of how to solve it is a bit harder. KuppingerCole gives some solid guidance. The report rates core security features including service and API virtualization, security and threat mitigation, identity and access control, availability and performance. It also looks at how well security is integrated into the developer portal, analytics, and overall management.
If you don’t have a clear answer, then you have your first job. You need to hire someone who is a security expert and understands the world of APIs, of mobile applications, cloud integration, even Big Data. All rely on APIs and API security.
You will also need to build a layered approach to security. Perhaps the simplest analogy is your house. If you have an alarm system, you have several layers, or zones: a gate, door locks, motion detectors and cameras. You may have someone local, and you’re probably wired up to an alarm company with passwords they use to figure out whether an alarm is false or real. And they can call the police. Layering is generally considered a best practice in IT today.
API Security is very similar, in part because there are so many different types of threats and redundancy is safer. If you want a high level discussion, read Gunnar Peterson’s whitepaper on the top 10 API security best practices. Beyond your traditional firewall and security team, which may have a Web Application Firewall (WAF), a great API security implementation has:
- API firewalling as part of the API management infrastructure that receives the API calls before the API calls are actually called. This is accomplished via service virtualization or a proxy, along with a specialized rules engine. ModSecurity is a common engine that gets used, and common threat protection might be against the OWASP Top 10.
- Identity and access management that authenticates and authorizes any use of an API and associated data.
- Policy management that enforces advanced technical and business security policies against APIs. Authentication and authorization may also be implemented as policies, which makes development easier.
- Auditing, to track any important access and related data. Audit trails can be used to investigate suspicious usage after the fact.
- Analytics to help track suspicious behavior. Ideally companies can also implement sophisticated tracking over time to look for anomalies and alert once any are detected.
When an API management team has all these components, they not only trust the layers more. They can prove they’re doing the right thing with their own audit trails. When they have the analytics, they can find issues faster. And when they own their own API firewalling, identity and access management, or policy management, they can respond faster. They can implement new rules or block traffic more easily.
Start by reading the KuppingerCole report. Get an overview of best practices from Gunner Peterson. Hear Mark O’Neill talk on the OWASP Top 10 and beyond. Or hire a security lead. But start building the foundation now.