The Top 4 Best Practices When Implementing API Security Posted in Security Crispen Maung August 31, 2021 Companies increasingly use Application Program Interfaces (APIs) to rapidly develop and deploy innovative applications and services to support their businesses. But APIs are not only a gateway to innovation; they can also serve as a gateway to security breaches. There is growing recognition that as companies rapidly innovate by building and deploying superior software and services via the creative use of data and SaaS providers, it is essential to have a well-constructed API strategy that incorporates meaningful security and privacy controls. Keeping your cloud and API ecosystem secure is an essential element of any API strategy. But few organizations understand how to effectively incorporate access controls and data privacy as part of their API strategy. This disconnect is causing delays. According to a report from Salt Security, many organizations are delaying new application launches due to concerns about API security. Leadership may view APIs as a path to extend the organization’s business capabilities, generate more revenue opportunities, and direct development teams to build greater value. Taking up the challenge, developers may leverage APIs to connect internal development teams and provide better services to the organization’s end customers. By connecting to external third-party companies, more value is added to the organization. While the developers are adding greater functionality and capability to their organization’s cloud and API ecosystem, many aren’t paying close attention to information security or data privacy obligations across their cloud ecosystem. Each organization should know how the data is secured, processed and what it is being used for. If not, the organization has potentially lost control of its data. If the information is misused, lost or unsecured, an API strategy’s advantages regarding the rapid development and deployment of applications and services can be quickly wiped out. 4 Tips For API Data Security and Privacy Here are four recommendations that can help your organization incorporate data security and privacy into its API strategy. 1. Control API usage. Your organization should know which APIs are being developed internally, which connect to third-party suppliers, and which are being consumed. Pay attention to how your organization’s APIs integrate with the various companies that come into your ecosystem. Controls need to be strong enough to hold steady as you begin to connect via APIs to third parties. While larger companies often have controls in place, the more vendors an organization uses, the greater the possibility that controls will weaken, leaving the organization vulnerable to a breach. If a vendor is accessing your customer’s credit card information, for example, it’s necessary to carry out a due diligence assessment of that vendor to ensure that credit card information has not been compromised. 2. Understand the security provisions for SaaS providers in your ecosystem. When connecting via an API to a SaaS provider, your organization is on the hook for ensuring that the data is held securely and used appropriately. This is true for the software or service your organization is consuming or when partnering with another SaaS provider to offer an integrated solution using your API. You should ask your SaaS provider(s): “What kinds of security and data privacy controls are in place, and who is monitoring the effectiveness of those controls?” Also, check the reports that they are generating; not all reports carry equal weight. For example, a SOC 2 Type 1 describes the controls and supports limited testing. A SOC 2 Type 2 is supported by significantly more testing and validation. Additionally, review their Software Development Lifecycle (SDLC) processes to ensure that the necessary controls and oversight are in place. Furthermore, look at the experience and training of the developers and determine what they know about API security and if they have been trained on the OWASP API Security top 10. 3. Consider your customer’s security and privacy obligations and their regulatory frameworks. If you are offering customers a service or software via APIs, ensure that your Information Security Management System (ISMS) is in place and includes the necessary data privacy processes and controls. It’s not uncommon to overlook your customer’s security and privacy obligations and compliance requirements. By understanding these requirements, you can successfully navigate their due diligence process. 4. Employ an API platform to gain control over your API ecosystem. Use an API platform that centralizes your APIs and allows your developers to connect with thousands of APIs, but also has the necessary access controls to deliver assurances around data security and privacy. An API platform enables you to manage and control which APIs are being developed and consumed and also helps you understand where and how data is moving within your organization. An API platform can ensure data protection and compliance, provide developers with the flexibility to create code without being hindered with heavy access control, and ensure that the partners and other types of SaaS providers in your ecosystem have the right types of controls and apply the same standards that you do. API Strategy Needs Strong Security APIs enable innovation and agility. But without an API strategy that includes capable and robust security and data privacy controls, businesses are putting themselves at great risk. By following these best practices and leveraging an API platform, your organization can securely leverage its APIs for their fullest advantage.