Free Your Data & the Apps Will Follow – But what About Security?

About Author

Mark O’Neill is CTO of Vordel, a company which enables companies to connect to mobile and cloud

Application Programming Interfaces (API) represent such an important technology trend, that new business models are evolving on top of them, and this has led to the term “The API economy”. The API economy encompasses API developers, the businesses providing the APIs, the businesses hosting APIs and app developers. This growing API economy has resulted in a switch in the mindset of many organizations that are now making access to internal data readily available to third parties, enabling partners and customers to develop value-added applications on top of this data. As such, many organizations no longer hold information close, but actually are seeking to make it available for external developers to write apps on top of the data. While many organizations are naturally concerned about the security risks posed by opening up and sharing access to data and indeed how they can derive long-term revenues from new API-led business models, the good news is that these concerns are being addressed. In fact, if organizations are not prepared to play in the API economy, they run an even greater risk of being left behind. In this article we look at some of the security challenges APIs pose, and how these can be addressed to ensure organizations don’t miss out on the opportunities API offer.

The Organization is now the Platform

APIs thrive on data. Examples include shipping information APIs (shipping data), financial quote APIs (financial data), and geographic APIs (location data). The popular maxim around the API economy notes that if an organization is willing to free its data, the applications will follow.

This new paradigm shift driven by APIs has also impacted at board room level. CEOs now expect their CIOs and CTOs to be able to showcase iPhone and Android app versions of their latest service offerings. However rather than asking “why are we not building iPhone applications,” the CEO should be asking, “why aren’t we allowing others to write iPhone applications on top of our data?” In other words, the goal of the organization should be to become a transparent platform for serving up data to third parties who can develop mobile apps on top of this platform. This means that the business effectively becomes a platform. For example, if a Financial Services company provides APIs enabling any developer to write the application, then it becomes a platform itself.

Secure API Delivery

So we’ve seen how APIs enable enterprises to deliver business services via Cloud, mobile, and partner channels quickly and flexibly. Enterprises need an agile API Server platform to ensure quick time-to-market with new business services. APIs handle critical business transactions and often have direct impact on customer interactions and business’s ability to execute. Poor API security and performance can result in lost sales, missed opportunities and inability to deliver. Every API requires a supporting infrastructure to make sure the APIs are properly managed, delivered, and secured.

Strong security is also essential as organizations need to monitor any suspicious usage of APIs in order that their APIs can be safely deployed, without compromising the data. Critical business functions such as ordering, fulfilment and payment are conducted via APIs. Attacks on these business critical services can result in loss of revenue and sensitive data. On the one hand, “enemy fire” attacks and exploits are becoming more sophisticated and organized, while on the other hand, the proliferation of API clients is subjecting APIs to increased levels of "friendly fire" from poorly engineered or malfunctioning clients. Organizations need to protect their APIs from both enemy and friendly fire alike.

Protect APIs Against Enemy and Friendly Fire

Threats that organizations need to consider protecting their enterprises against include such all common attacks as outlined in the NIST SP800-95 document "Common Attacks Against Web Services"[i] which include:

• Denial of service attacks
• Command injection attacks
• Malicious code, virus
• Sniffing
• Spoofing, tampering, and impersonation
• Data harvesting
• Privilege escalation
• Reconnaissance

The increase in both number and variety of API clients can also lead to a larger number of poorly engineered clients, as well as an increase in incidents of client malfunction. A misbehaving client repeatedly sending requests can cause as much damage as a denial-of-service attack. Organizations need to protect their APIs from potential “friendly fire” by monitoring API call volume and client behaviours. Clients exhibiting disruptive behaviours can be blocked or throttled.

Conclusions

APIs are increasingly being exposed to larger and more diverse populations of developers and applications. With this increased exposure, comes inevitably increased levels of operational and security risks. To guarantee good availability and user experience; IT must have security, control and monitoring capabilities as part of its API delivery platform. Having an API Server to manage, deliver and secure APIs is central to any coherent API strategy.