The growth of organizations like Uber and Airbnb has shone a spotlight on the rapidly developing application programming interface (API) economy. These two organizations—and hundreds of others like them—have found success with their disruptive business models because, rather than trying to reinvent the wheel each time, they’ve capitalized on existing APIs to build out their applications.
APIs enable the seamless sharing of data and functionality between applications. Rather than try to recreate a payment system or a map, Uber and Airbnb tap into APIs offered by organizations that specialize in those capabilities—allowing their own developers to focus on their core competencies. This translates into more time spent on the high-impact deliverables that benefit the end user and, ultimately, helps drive revenue.
What are the risks of using APIs?
As APIs become more popular in the development of new applications, there’s a risk with sharing access to that data and functionality, both within your organization and externally. Gartner has predicted that by 2022, API attacks will be the greatest source of data breaches for enterprise web applications. As you look to join the API economy, your success hinges on implementing access management and other security capabilities that protect your organization, while letting your developers thrive.
Usually, when APIs are designed and built, they address a small and specific use case for a small and specific (generally internal) audience. As they prove useful and valuable, other internal teams adopt them to speed development. Eventually, external partners and even major customers might request access and integrate them into their applications.
As a result, an API’s user base can grow quickly, but security doesn’t always stay top of mind for developers as it scales. The security policies required for employees are not always the same as those required for partners which, in turn, are not always the same as those required for customers. Each successful deployment and new project accelerates the next one and few teams are willing, or can afford, to stop and reevaluate security. Therefore, it’s important that the appropriate authentication and authorization mechanisms are in place before each group of users is added. Otherwise, your APIs will become a massive vulnerability.
Driving security with API access management
A robust API access management infrastructure is critical for securing your APIs and the sensitive data behind them. In theory, API access management should securely connect the right users to the right level of access in the API, not too dissimilar to a server taking an order at a restaurant and then delivering the meal that was ordered.
Companies that do secure their APIs often approach security using API keys, OAuth 2.0 tokens, or an API gateway. However, these methods are far from fail-safe on their own. A combination of an API gateway and OAuth 2.0 offers the best approach, as this combination ensures that only those that have been granted access are let in—within the parameters of their level of authorization.
Carefully planned API access management provides IT with the ability to control access at each stage of development, so security is a fundamental part of the API-building process from the very beginning. When executed appropriately, with the existing tools and standards, this enables developers and ensures they won’t have to relearn proprietary technology stacks and integrations.
API access management gives your developers time back
The common misconception is that security impedes progress—but the opposite is true here. By implementing a centralized API access management tool, developers don’t have to focus on administration or authorization, allowing them to save as much as two weeks of developer time per year.
When it comes to designing or accessing APIs, it’s important to have clear roles and responsibilities so that users are restricted specifically to the areas they need. API providers, for example, will need to dedicate their time to gathering data or designing functionality, whereas API consumers—internal or external to the organization—care more about how they can access that data in consistent and frictionless ways.
API access management is critical in this regard, as it allows for clear and configurable access policies to each API resource, defining access based on user profile, groups, network, consent, and more. By fitting these policies together, your security and operations teams can create and manage centralized policies specific to developers, partners, or customers without impacting any other group or compromising on API security.
There’s no question that API access management is indispensable when it comes to securing your APIs. From a risk mitigation perspective alone, it ensures that your business can engage in the API economy without compromising its data—or that of its customers. The added benefit is that you can also free up your developer team to focus on growing your organization with new products and services.
Learn more about how Okta helps secure your APIs and free up your developer team with our Okta API Access Management datasheet.