There’s no doubt that today’s businesses are under increasing pressure to innovate faster. Looking to deliver innovative offerings at an accelerated pace to meet ever-evolving customer expectations, many are turning to modern development models underpinned by the cloud, microservices architectures, and containerization technologies.
The result is a large-scale mashup of hundreds—sometimes even thousands—of APIs, responsible for connecting and sharing data between disparate systems, applications and devices located both inside and outside of an organization’s four walls.
As a result, APIs are everywhere. ProgrammableWeb currently provides the largest API directory on the web, with access to nearly 20,000 public APIs worldwide; a catalogue that is constantly expanding as developers add new ways to connect IT capabilities. And according to Gartner, “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.”
With APIs now behind most mission-critical business capabilities, securing them has become paramount. In today’s API economy, organizations don’t have defined perimeters anymore. They live everywhere their employees, customers and partners do, making perimeter-based security models ineffective and even “negligent,” according to Forrester.
Instead, organizations need to adopt a zero trust security model, where security can lie within the APIs themselves. As a result, organizations will be able to move faster without compromising security.
Understanding the security challenge
The difficulty faced by many organizations is that moving fast and staying secure are often at odds with one another. Digital transformation has made applications, networks and devices the powerhouse of the modern business, but it also exposes organizations to unprecedented levels of risk from security breaches.
Malicious outsiders are primed and ready to exploit vulnerabilities in web-facing applications with a growing array of tactics, while employee use of “shadow IT” and increasing adoption of cloud, mobile and the internet of things (IoT), further increase the number of attack vectors that security teams must guard against. It’s no surprise then that Gartner recently forecasted worldwide security spending will reach £74 billion in 2018.
Improving security with modern APIs
In increasingly dispersed and dynamic IT environments, traditional perimeter-based security approaches can’t meet the scalability, adaptability or reliability needed to manage risk. The answer lies in modern APIs, which enable the business to create standardized, accessible and well-defined entry points that are easy to visualize and therefore secure.
Switching from a traditional perimeter-based model to an API-centric model allows IT to secure every access point according to a standardized framework. It also allows IT to control who has access to IT capabilities and set read/write capabilities to define what level of access they have; simplifying the process and enabling more robust security.
Additionally, modern APIs enable organizations to build secure application networks, where IT and business capabilities are made discoverable and reusable through managed APIs. The APIs, in a sense, become productized and can be plugged in and out of the network as market conditions or requirements shift. Security best practices are, therefore, built into every access point from the very beginning, making them secure by design.
The need for zero trust security
Traditional approaches to security will no longer work in today’s API economy. Transport Layer Security (TLS), credentials, firewalls, reverse proxies and demilitarized zones (DMZs) were designed for a web environment, where users interact with apps via a browser. In the new world, users, APIs and devices interact without this intermediary, so network perimeter approaches are no longer effective or scalable and could even introduce new security risks.
Organizations, therefore, need to embrace a model where perimeters are redefined around APIs. Instead of networks or applications having a fixed perimeter, the APIs that connect them should be given verifiable identities so they can interact with each other securely and without friction.
The result is a zero trust model, where APIs are responsible for authentication, authorization and access control in a distributed fashion using identities. This approach is highly scalable, works across any application network and relies on the well understood models of multi-factor authentication and digital signature to authenticate log-ins and authorize actions.
A decentralized chain of trust also allows IT teams to trace back actions, further improving security and transparency. Not only will this help provide the foundation on which organizations can drive digital transformation and growth, it offers a best practice way to satisfy regulators, as we enter a new era of security and privacy compliance.
Ultimately, the pressure that organizations are under to innovate faster while remaining secure will only continue to increase as the API economy gathers momentum. Rising demand for digital services and IT capabilities, alongside the growing threat from cyber-criminals, is making it more challenging than ever for IT to satisfy the needs of the business while keeping it secure.
In such a fast-paced environment, rigid perimeter-based security measures are simply inadequate. In today’s world, organizations need a no perimeter, zero trust, API centric security model that not only brings unprecedented levels of security but also increases agility for organizations looking to digitally transform.
This article was originally published in SC Magazine UK.
