4 July 2019
APIs are critical for advancing core business expansion strategy. They do this by: exposing data for use by apps; making assets reachable by apps; and adding a digital layer to interactions with customers, employees, and partners. Companies’ API strategy must provide an effective and productive way to use APIs by internal, partner, and third-party developers. And there is the rub. This is because APIs also present fundamental security challenges that can keep you up at night. You need to make sure that access is open and free while also ensuring that access control is effectively ensured.
API access solutions are needed to mitigate vulnerabilities that otherwise would allow a company’s back-end services to be compromised by attackers. Beside venerability control, such as cross-site scripting attacks and XML threats, they must also provide the right access control solution. Access control that would ensure the API is used only by authorized consumers and that the access to data and resources is appropriately filtered. Another important capability is the challenge of providing logs and audit trails to support both offline analysis and real-time troubleshooting.
The very public hacks against the popular Snapchat mobile app’s API provide a cautionary tale regarding what can go wrong if your API’s are not secured. In the case of Snapchat, hackers working through holes in API authorizations security determined that it would take approximately 20 hours for one $10 virtual server to eat through and find every user's phone number. This is clearly not good. This security breach threatened what was at the time Snapchat’s $3 billion valuation. If we can agree that security is foundational to API infrastructure across the entire digital value chain, then it is critical for this core function to be easily configurable and to enable security at all points of engagement.
To sum up the challenges:
In short, access control is foundational to API infrastructure both from the APIs to the back-end services and from the API to the apps— that is, across the entire digital value chain. It needs to enable secure authentication and authorization from users to resources, data and organizational assets. Essentially, we all want our APIs to be engaged to promote core business functions and we recognize that scalability is key. Adaptive access control is not just a matter of convenience but one of enabling effective and efficient activity that serves all key stakeholders. It is therefore critical not only to enable security at all points of engagement, but for this security to align with practical business needs.
An approach that I believe is a game-changing innovation is the use of adaptive API control – control that is centralized to one point of decision, one point of control and one point of view. Adaptive API control is an integrated approach that enables controlled access to APIs based on roles, attributes, and context, with an ability to design entitlement policies for applications across the enterprise.
This approach amplifies attribute-based Access Control (ABAC) and role-based Access Control (RBAC) by providing a flexible combined policy. Such flexible policy can enable attribute-based decisions all the way from the user to the resource/action, based on patterns or resource attributes. Moreover, integral to this use of adaptive API control is the provision of a single layer that fits on-premise APIs as well as those published in the cloud. This means that the same policy can be reused with multiple API gateways, with unified control & auditing view.
An additional benefit is that an externalized authorization layer can enable your business owners to be involved in decisions related to API access, ensuring compliance and risk mitigation are part of your API access strategy. Ultimately, this approach, which is the approach of PlainID, lets business owners control and fine-tune access, providing a clear view and understanding of every authorization level. Let us know if you want to experience how it works:
© All Rights Reserved 2019 PlainID