Cyberthreats Energy and Utilities

Critical sectors can find a balance between API security and opening up to their partner ecosystem

Opening_strategic_sectors_blog

Companies in critical sectors, where security is especially important, can – and should – open up to their partners via APIs without being threatened. But many fear they would have to compromise on API security to achieve greater speed.

The push for openness has at its heart this tension: wanting to go faster, drive revenue, and build better experiences, and needing to shore up defenses to protect mission-critical systems and data.

But it’s becoming impossible to operate at the speed of business and build better customer experiences without opening up to your partner ecosystem. Axway is uniquely-positioned to address the need for high-level security, so organizations that depend on it can focus on driving forward.

Security is a pressing concern

It feels as though every day there’s a new security breach being reported in the news.

Only a few months ago, organizations around the world scrambled to remedy a critical vulnerability in the Log4j framework, which is embedded in software around the world. The security flaw discovered in the Java logging library Apache Log4j makes it possible for hackers to remotely execute code and access systems.

The vulnerability is so widespread that cybersecurity experts report millions of attempts to exploit it every hour – and that’s just in the United States.

Another potential strike point: according to cloud security specialist Sysdig, 75% of containers are running with high or critical vulnerabilities.

Containers make it easy to quickly implement new features in information systems, and many rely on this convenient tool. What often happens, though, is that people will create containers from a set of solutions and forget to check their framework security.

The increased growth of API traffic is also leading to an increase in malicious traffic. Gartner predicted several years ago that API hacks would become the most common form of cyberattacks in 2022.

Salt’s State of API Security found that API attacks are increasing at an alarming rate: a 348% increase in six months. And vulnerabilities discovered in the cloud are increasing by 150%, with 2/3rds of that increase due to poorly secured APIs.

Watch the webinar in French: Entre ouverture du SI et sécurité, trouvez le bon équilibre dans votre stratégie d’API.

Critical infrastructure operators have unique needs

With all of these stories to stoke security worries, it’s no wonder organizations are skittish about opening up their systems.

And critical infrastructure operators are, understandably, particularly cautious. In France, they are referred to as Operators of Vital Importance (OIV, Opérateurs d’Importance Vitale) and Essential Service Operators (OSE, Opérateurs de Services Essentiels), but regardless of what you call them, they are players that support critical infrastructure and operations.

They include government agencies (civil, judiciary), defense departments and law enforcement such as military, space agencies or police departments, infrastructure operators (energy, transportation, finance, communications), and health actors like medical providers, water systems, and agriculture.

These organizations play a vital role in the life of a country and ensure that this life continues despite problems that may arise — they need to be able to guarantee a certain number of services, such as health missions and continued water and food distribution.

And they’re cautious for good reason: the nature of their work means they require airtight security to protect data privacy & intellectual property.

They are also subject to many standards, operating within a tightly-regulated field.

To name just a few laws, organizations in Europe must comply with the General Data Protection Regulation (GDPR), which is designed to protect personal data and increase the accountability of those processing it.

The European Union Agency for Cybersecurity (ENISA) enforces the NIS Directive – which requires EU Member states to supervise the cybersecurity of critical market operators in their country – and the Cybersecurity Act, which establishes a cybersecurity certification framework.

In the United States, healthcare organizations must comply with HIPAA and the Interoperability Rule, California’s Consumer Privacy Act (CCPA) has wide-reaching effects, and COPPA imposes certain requirements on all operators of websites or online services directed to children under 13 years of age.

GDPR and the U.S. CLOUD Act also highlight potential sovereignty concerns, further complicated by the European Court of Justice’s decision in July 2020 to annul an agreement called the Privacy Shield. This agreement simplified cross-compliance between GDPR and the American CLOUD Act.

Due to concerns over U.S. surveillance laws, the agreement is now void, and the transfer of personal data across the Atlantic is much more complex – and potentially costly. Many European organizations are faced with tough decisions: for example, debate raged when France’s Health Data Hub chose Microsoft’s Azure cloud for its centralized health data platform.

All these noncompliance risks understandably add to the hesitancy of critical sector operators to open up.

You can open up while maintaining top-level security and compliance

Despite all of these important security and privacy considerations, remaining closed off just isn’t a possibility in our day and age. Customers and citizens have come to expect more innovative services and fully digital processes, and those just aren’t possible without opening up to a wider ecosystem of partners.

Bundesagentur für Arbeit is Germany’s federal labor agency, and they are delivering eGovernment services in more modern and secure ways than ever thanks to Axway solutions. BA distributes some €150 billion in benefits every year to citizens through Axway’s secure MFT service.

Axway’s B2B Integration solution brings over 100,000 German employers onto a secure, central platform so that BA doesn’t need to rely on paper forms and can instead receive and process information from employers digitally, with minimal human involvement.

And crucially, thanks to a single point of control for API security with the Amplify API Management Platform, BA’s dedicated cybersecurity teams defend the organization against up to five million cyber attacks every day.

This level of API security isn’t just promised: it’s also measured with audits performed by the German Federal Statistical Office every two years. The agency verifies compliance of these solutions certifies that they meet cybersecurity requirements.

API security at the heart of the API lifecycle

API security is part of each phase of the API lifecycle. It starts with a secure API gateway that needs to support a certain number of security mechanisms, which are fundamental to ensuring a secure layer. It allows organizations to deploy APIs, and it needs to be able to automate security mechanisms.

This platform should also take inventory of all the entry points to the information system; if you have visibility on these entry points with an API catalog, it’s much easier to apply security governance. And central governance is especially helpful in guaranteeing the implementation of your required security levels.

Smals is a Belgian company specializing in delivering ICT (Information and Communication Technology) solutions for the government, social and healthcare organizations, and public services that need IT services.

When migrating to the Amplify API Management platform, the company needed to do it in a controlled way to maintain high-availability – some of its integrations were with software from medicine pharmacists that have to run 24/7. Amplify allowed Smals’ teams to transparently migrate their legacy services and implement new services faster.

As we have worked with Smals for more than five years, through technological evolutions and new solutions they have implemented, new needs have arisen, and we’ve helped maintain this level of security and even increase it at times.

We didn’t just implement a solution and move along: we’re with you for the long haul, and we’re able to guarantee high security standards.

Security starts at the very beginning

The next benefit of an API management platform is that it allows you to develop guidance and enforce rules for a more consistent API landscape. Bringing it all together on a central plane allows for a comprehensive data access policy.

It’s when you’re designing APIs, from the very start of the process, that you need to be thinking about what needs to be done to protect data.

  • At the design stage, you decide which data should be part of an API that will have a wider scope of use vs more regulated access. It’s also in the design phase that you’ll implement tokenization to protect sensitive data.
  • When you move to deploying your APIs, secure automation allows approved component repositories and automatic compliance checks, along with robust testing mechanisms.
  • Finally, when an API is deployed and is being used, you need monitoring with flexible granularity. You need mechanisms to securely observe how your APIs are being used.

A centrally-governed, developer-friendly API management platform allows you to guide all the people in charge of creating APIs by making their work easier and bringing it back to a central plane.

A sovereign platform

Having greater control over your data also brings us back to the issue of sovereignty.

This is why Axway has formed partnerships with all the major cloud providers, allowing the Amplify API Management platform to be deployed in all clouds, including SecNumCloud, which complies with European data privacy regulations.

For example, by integrating with the Trusted Digital Platform partnership between France’s OVH Cloud and Sopra Steria, we’re able to support the digital transformation of public and private European players that have an especially strong need for sovereignty and data protection.

Security certifications offer a guarantee

Amplify ensures required security levels, especially for these critical sectors.

Right now, we are in the process of obtaining a certification called EAL4+, which is a Common Criteria certification from an independent agency. Common Criteria certifies security for defense & space systems, energy networks, financial trading networks, and communications networks.

It’s a long and extremely intense process: it even looks at how we build our software solutions and ensures there’s an established process for dealing with security breaches, such as we saw with Log4j.

The Amplify API Management platform is the only solution in the process of EAL4+ certification.

A security guarantee was especially important for our client RTE. Europe’s largest electricity transmission operator, RTE processes 340 million API calls annually.

When the French government’s Open Data policy required public utilities companies to open up their data, RTE needed to set up an API management platform that would also fit within their plan to reshape customer relations and create new services.

With Amplify API Management, RTE was able to securely open up the use of its data to a much larger ecosystem that includes academics, students, media, and businesses that analyze their data.

“The success of the project was largely due to the involvement of the teams from Axway and CGI [our service provider] in helping us to build the solution in terms of architecture, setting up the service, and keeping the project on schedule. Since setting up the service, the Axway support team has proved very responsive,” says Stéphane Ménozzi, API Services Lead at RTE.

Don’t rely on technology alone

API security requires a combination of technology and processes.

Security is truly at the heart of our expertise at Axway. And it is a combination of not just software solutions, but also know-how and expertise. Implementing solutions without knowing what to do with them or how to configure them misses the mark.

We have developed a network of experts at Axway and with our partners who help guide the implementation of these solutions and raise awareness of the entire API life cycle, from their construction to their deployment, in order to implement secure APIs.

What’s more, Axway has been a trusted partner in securing APIs while powering digital transformation for twenty years. It’s why 40% of OECD governments, 60% of top banks, and 80% of top healthcare manufacturers run on Axway solutions.

Vendor expertise, as we’ve recently reaffirmed, will help you get there. Our Catalysts can help you make better decisions about technology, teams, governance, funding, ecosystems, or monetization, and our support teams are there to see your digital transformation through.

Security, privacy, and compliance concerns shouldn’t have to get in the way of modernizing operations and better serving your customers: you both deserve better.

Read our whitepaper to learn why an open platform is the natural selection in a world of rapidly evolving security threats.

Key Takeaways

  • API hacks are becoming increasingly common, as more API traffic translates into more malicious traffic.
  • These security concerns have made organizations skittish about opening up to their partners through APIs — especially in the case of critical infrastructure operators.
  • Thanks to Axway solutions, there are secure ways for these companies to open up.
  • With an API management platform in place, companies can enact and enforce security measures in a consistent, controlled manner that keeps data protected.
  • As a trusted partner in securing APIs, Axway is used by 40% of OECD governments, 60% of top banks, and 80% of top healthcare manufacturers.