Want to know what happens backstage at Redpill Linpro?
Soon we can welcome you in!
Coming soon
Sign up for our newsletter

API Ready model step 5 – Security

Thu, 11/26/2015 - 16:08 -- Fredrik Svensson
Making your corporate data (or parts of it) available to your partners and customers is a matter of balance between openness and security. You want to improve your business by inviting selected participants to interact with you, but what you don't want is to create undesired access to potential trade secrets or material that can be used against you.

This is why security is an important consideration when exposing APIs. There are many examples in the past where IT security hoaxes have had unexpected ramifications. We don't want to put ourselves in that position.  

If you publish your corporate data through APIs – you don't want unauthorized access! 

When considering security issues you will of course have to start with the data or APIs you have decided to expose. If exposed data are non critical to the organization, security isn't as important as if you have decided to expose an API to communicate with your ERP, production planning or finance systems.

Many usually start by exposing non critical data, so security may not be your primary concern in the early days of your API adventure, but if you are successful – then successful security will sure become important. 

This means that even if you only expose non-critical data, security should be one of the primary quality attributes you consider during architectural design and implementation to make sure that the foundation to secure communication is in place from the beginning.

To me, security isn't merely about protecting yourself and the organization from potentially harmful attacks. It's also about making sure you are prepared for expected usage, peak loads and that the right person/system is interoperating with your organization. This means that you have to be prepared to manage potential over- and misusage of your APIs. Which is why you require a tool that makes it easy to measure usage and load and regulate when required. API Management platforms of today should have these capabilities and will give you the required tools to monitor and manage your APIs. Make sure that the API Management platform you choose offers these solutions. 

Can you predict the future usage of your API?

Performance and load are also important considerations. Even with forecasts, it may be hard to predict the future usage of your APIs. (In a recent survey from Varnish Software on API usage, respondents reported a 10-20% monthly increase on API call volumes). To meet this challenge you need to choose an API Manager platform that has proved to perform well in performance stress test, that scales properly and can be expanded when possible at a reasonable cost.

How to manage costs?

Managing your API's costs can be tricky. To scale a solution to your initial requirements and then expand the installation, can make costs sky rocket. Nor will it be financially feasible to scale your solution for the expected max load from the beginning as you may end up with unused parts of the solution. Here, a cloud based solution could be a good option. With the right price model these solutions will scale nicely when expanded, either for a short period to handle peak traffic or for a slow environment upscaling. Make sure to match the chosen API Management and deployment alternative with your short and long term requirements. 

Identity Management

As the foundation of the Digital Transformation predicted by Gartner is expected to be APIs, the importance of making sure that we can communicate through APIs in a secure and trusted manner will be significant. Most of the available API Management platforms on the market today have a built in interfaces towards an Identity Manager product. Identity Management is a separate domain in it self, but in short, Identity Management products facilitate functionality for handling authentication and authorization of users for software solutions. Maybe your organization already has an IDM solution that can be extended in order to be used with the API Manager?

When it comes to how to specifically handle security issues for APIs and API publishing, one could potentially write an essay or book on this topic. This forum isn't for that (nor do I have the knowledge to do that), but a few useful tech recommendations can be found here . I can also recommend an upcoming webinar from Mulesoft on this topic.

APIs will be the foundation of the Digital Transformation revolution. We need to make sure that we can interoperate with our target audience in a secure and stable way. Be aware of this and chose an architecture and solution that provides control, both in terms of security, scalability and budget. Evaluate API Management and Identity Management tools wisely and consider different deployment options to give your organization the required flexibility – both in the short and long term perspective. Make sure to have the right design, skills and knowledge in place to manage potential security issues when exposing your APIs to your audience.


 Other API Ready posts:

Other API resources

I want to be API Ready – contact me!