If data is the new oil, APIs are the pipelines through which it flows. If they aren’t secure, the resulting spill can be devastating to a business. In fact, it’s estimated that API insecurity results in a loss of $41 billion-$75 billion annually.
Ensuring API protection involves more than just checking a box. It requires a multi-layered defense that starts with centralized API management and includes measures to establish a robust fortress around your data. Before we look into some best practices, let’s see what can happen when API security isn’t where it needs to be.
One retailer experienced a $1 million dollar loss due to API insecurity
I shared the following story in a recent webinar: drawing from a repository of internal APIs with minimal security measures, a popular retailer chose a tax calculation API that required an upgrade to create a better user experience.
A new version of the API was fully integrated in a few weeks and well-received for the streamlined, intuitive experience it delivered.
Unfortunately, on the day most retailers drop new releases, the store’s typically booming online sales plummeted to zero. The new API was unresponsive, and orders could not be processed.
After two hours of trying to mitigate the issue, IT teams discovered the API was overwhelmed by an excessive number of requests.
The requests weren’t from an external hacker, but rather from a desktop within the retailer’s accounting department, which was running an end-of-month report and, in doing so, sent hundreds of requests to APIs that crippled its use.
That two hours of downtime translated into a $1 million dollar loss in sales.
See also: Round up & secure APIs for universal API management.
API management needs to account for API protection
The real-world example shared above is a testament to two factors:
- Even if APIs aren’t exposed externally, they still require robust security to ensure data protection
- The consequences of a lack of proper API management can be measured in millions of dollars
The moral of the story is that security isn’t an option for APIs — it’s a necessity. It’s important for API developers to include the documentation internal and external app developers need without the red tape. This could include instructions on effective use of the API or details on self-service capabilities.
Similarly, the degree of attention given to security can make or break an API’s value to your business. So naturally, when it comes to APIs, the policies around data protection must be a priority.
Learn more about API security with these 12 essential best practices.
What does good API management look like?
One of the foundational elements of proper API management is having a uniform approach to policy enforcement. You’ll want to secure APIs in a central location so you can create a consistent, comprehensive defense that is easy to update and monitor.
With this foundation in place, you can focus on implementing a series of measures that support API security such as:
- Implementing a standard like OAuth2.0 to authenticate users before they access the API
- Configuring authorization access controls such that only admins can delete records, while general users can read or write
- Configuring to use HTTPS and SSL certificates to encrypt data transferred over the network
- Forcing users to reauthenticate after a certain period
- Redacting everything sensitive, for example masking the first twelve digits of credit cards in API responses
- Setting up an IP whitelist to only allow access to specific IP addresses
- Creating error messages to avoid sharing sensitive business information
- Establishing a rate limit to prevent an excessive number of API requests
- Validating schemas to enforce the integrity of API data
- Utilizing WAF features to protect against SQL injection and other web application threats.
- Configuring log key API metrics and integrate it with monitoring tools for real-time analysis
- Configuring routes for API requests to different backend services based on the API version specified in the URL or header
- Automatically inserting security headers to protect against XSS attacks.
- Providing regular updates to make sure all third-party dependencies are secure
Manage your API ecosystem with Axway’s Amplify Platform
As the sprawl of APIs and their associated gateways grows, so does API complexity – often at an exponential rate.
Axway’s Amplify platform can help you manage your API ecosystem more efficiently.
Amplify is an API management platform that offers a universal approach to API governance. Featuring built-in capabilities for access control, data privacy, threat mitigation, and more, Amplify is designed to ensure your APIs adhere to the highest security standards based on your digital infrastructure. It offers the exceptional visibility and control that businesses need to develop and deliver secure APIs faster.
We’ll leave you with another real-world example…
A data platform provider for the healthcare, energy, and finance sectors, was dealing with a complex API landscape. Multiple in-line API gateways led to growing security concerns.
In an effort to avoid API duplication and foster reuse, IT teams adopted the Amplify platform, which offered a single pane of glass into all APIs and enabled robust API security, compliance, and business insights.
Discover more customers succeeding with the Amplify API Management Platform.
The impact has been notable. The company reduced API duplication by 40%, eliminated security incidents, and increased operational efficiency by 30%.