5 Pillars of API Management Posted in Strategy Ross Moore February 7, 2023 APIs are critical to business technology infrastructure, allowing teams to connect and share data, automate workflows, and improve customer experience and connectivity. But as businesses develop new software, they also need to ensure they have the right resources to manage their APIs. A recent report shows 61% of companies admit they lack any API security strategy or only have basic protection. While there are many ways to secure APIs, the following five pillars can help create a solid API security strategy. 1. Aligning With Business Vision, Mission, and Goals The first pillar is alignment with the business vision, mission, and goals. Such alignment can be challenging as it requires collaboration between application and security professionals and other teams within the organization. It’s all too common for professionals to think that their wheelhouse is a silo, and for others to see application development and security as cost centers — or worse — liabilities rather than assets. Several strategies can be employed to build trust between the AppSec teams and others in the company and facilitate communication around risk assessment and mitigation planning. These include having regular meetings dedicated to reviewing threat intelligence reports with relevant stakeholders so they understand what types of attacks could affect the systems or applications, which types they should prioritize based on their risk profile (see “Risk Management” below), and how they should respond if any such incidents occur. 2. Proper Allocation of Talent, Time, and Finances Proper allocation of talent, time, and finances is critical to the success of your API management initiative. To do so, it’s recommended to identify a full-time dedicated team leader to take on the project. This person should have a combination of technical and business skills to lead development and deployment efforts and manage operational issues. Next, allocate funding for implementation to hire and train developers who can build out all phases of your API initiative, from writing code through deployment, testing, and maintenance. Lastly, set aside the right amount of time for these projects. This is where the SMART goal setting can come in handy, as in setting goals that are Specific, Measurable, Achievable, Relevant, and Time-bound. 3. Protect the Information Assets of Your Business The importance of protecting your business’s information assets cannot be overstated. As an API provider, be aware of how applications interact with APIs and ensure that these connections are secure. Give your security teams a realistic view of the attack surface with an up-to-date inventory by cataloging all APIs. This will provide insight into existing gaps across departments or teams and shed light on who is accessing what data. Perform regular audits of security measures to protect sensitive data from being exposed or misused by unauthorized parties. For example, consider: What types of data flow through the APIs? Is it PII? Is it under the jurisdiction of regulations such as PCI-DSS or GDPR? Knowing this and designing accordingly will help prevent big-ticket regulatory fines. 4. API Lifecycle Management API lifecycle management includes planning, designing, coding, testing, deploying, monitoring, and even retiring APIs. And it’s important to ensure that the API is secure throughout its entire lifecycle. A critical aspect of lifecycle management is testing, which either automated or manual methods can achieve. Another vital component is the Software Development Lifecycle (SDL) document (see OWASP’s writeup here). In the world of policymaking, if it’s not written down somewhere, then it doesn’t exist. This includes auditing and mature application development. Having a great product is one thing — having a product that is consistently engineered is another thing. One can have top-notch staff, a stellar reputation, and the best intentions, but if there’s no documented guidance, then problems will occur. One example is Microsoft Azure’s Well-Architected Framework, which has its own five pillars of architectural excellence: Reliability Security Cost Optimization Operational Excellence Performance Efficiency 5. Risk Management Risk management is a continuous process that seeks to protect an organization from applicable risks by identifying, analyzing, and managing them. It may feel like a shot in the dark, but it’s not. It’s not gambling — it’s calculated risk-taking based on facts rather than guesses or intuition. To make informed decisions regarding any project or situation (including API strategies), conduct thorough research into potential pitfalls and possible consequences so that plans can be created for handling those should they arise. An Assortment of Strategic, Operational, and Tactical Challenges Securing APIs is not just about protecting the API itself. It’s about protecting business and customer data, and that involves lots of details. Before signing up for an API management tool, determine exactly what the goals are. Define what success looks like regarding security and how much risk is acceptable. Understand how people will use your APIs — know how your applications will be used so you can identify weaknesses or vulnerabilities early in the development process and mitigate them before they become problems later on down the road. Create clear policies around access control — decide who gets what level of access (or no access at all) based on their role within your organization and whether this would enable them to do harm if abused. And lastly, ensure data protection through encryption. Choose Your Path API management is not a one-size-fits-all solution. There are many approaches to take in securing your APIs, and each has its own challenges and overhead. However, by following these five pillars of API management, you can help ensure that you’re heading down the right path toward protecting your APIs from malicious attacks and protecting your corporate and customer data. Securing APIs is challenging, but these five pillars will help you create a solid API security strategy. Identify what’s important and defend it.