5 Pillars of API ManagementCA's Mankotia on Managing APIs to Secure Identities
Akana's study on the Global State of API Security says the security industry has witnessed increasing use and business importance of Application Programming Interfaces, vital in developing mobile applications and digital enterprises. Yet, APIs, like all technologies, have inherent security vulnerabilities, and this is a concern for Vic Mankotia, vice president, Security and API Management, Asia Pacific & Japan, CA Technologies.
See Also: Main Cyber Attack Destinations in 2016
"The very openness that makes them so useful for expanding enterprises into the digital realm spells risk exposure," Mankotia says. "This can also expose more than one business to risks limited to a single corporation previously."
In this interview with Information Security Media Group, Mankotia finds growing concerns for CISOs - as many organizations don't have processes to ensure data accessed by applications consuming their APIs is managed securely. He shares insights on:
- API security challenges;
- Managing APIs effectively;
- Protecting digital identities.
Mankotia has more than 17 years of experience in the software industry. Before CA Technologies, he spent 10 years with Symantec Corporation, holding various sales leadership positions. He developed five lines of business with market-ready solutions from over 30 Symantec acquisitions.
API Opportunities and Challenges
GEETHA NANDIKOTKUR: You say APIs are a cornerstone for innovation and business growth. Where are the opportunities, and what the challenges?
VIC MANKOTIA: Yes, APIs are the backbone for innovation and business growth. Organizations must constantly find new ways to generate revenue opportunities using connected devices, big data and analytics. API's importance is increasingly felt today, as there's a revolution in how software's developed and deployed, and APIs enable this as a catalyst.
API, an old concept, is undergoing transformation: driven by mobile and cloud requirements, organizations are opening their information assets to external developers.
Today, 75 percent of Twitter traffic and 65 percent of Salesforce.com traffic is through APIs. Says ProgrammableWeb.com, open APIs offered publicly over the Internet now exceeds 12000--from 32 in 2005. Using APIs for sharing information and functionality with outside developers is not limited to start-ups. Enterprises, driven by cloud, mobile and partner integration, use APIs to put themselves at the center of a developer ecosystem and drive new reach, revenue and retention possibilities.
However, the biggest challenge is managing APIs, as secure APIs are the key to the success of the security industry. Some issues security teams must tackle are:
- How to protect information assets you expose from abuse or attack;
- How to deliver your APIs as reliable services with no downtime that can impact your API users;
- How to govern access and use of your APIs in a consistent, policy-driven way.
A major concern is that many organizations don't have processes to ensure the data accessed by applications consuming their APIs is managed securely.
NANDIKOTKUR: How should organizations manage API securely?
MANKOTIA: API management combines advanced functionality for back-end integration, mobile optimization, cloud orchestration and developer management. It supports enterprises in executing digital and Internet of Things strategies with the right management tools, security, scalability and flexibility that organizations need to open the flow of data while minimizing risk to their brand and customers.
When looking for an API management solution, security features must be top of the mind, particularly when protecting vital information exposed through an API independent of standards. The critical aspects of managing APIs is to ensure they can:
- Accept different kinds of credentials for authentication;
- Issue different kinds of credentials to developers;
- Support different 'resource' authorization schemes including federated ones.
The challenge is integrating these APIs with existing identity infrastructure. The overarching goal is achieving flexibility and integration. In policy, there should be an ability to support different kinds of access tokens and even move from one kind of developer API key to another, without touching code.
Enterprise-class API management solutions must give the enterprise architect or security administrator fine-grained control over what data's exposed, how it's kept confidential and how it's transmitted without interception or tampering. Lastly, API security rests on the integrity of the API and the data/functionality it exposes, requiring an ability to ensure APIs are not compromised by attack, denial of service or misuse.
Integration API and Identity
NANDIKOTKUR: You referred to challenges with integrating APIs with existing identity infrastructure. What's the role of identity in API management?
MANKOTIA: As enterprises embrace cloud and mobile, they face serious business challenges, starting with how to maintain control over corporate apps and data once these leave the business. Integrating API management with identity becomes important to address new challenges; security teams must take note of these for effective integration:
- Opening on-premises data and applications to third parties: Additionally, API publishing creates challenges about ensuring scalability and manageability as adoption grows and adapting data for consumption.
- Protocol orchestration: There's a need to connect disparate data/applications across environments - legacy to the cloud to mobile. The ability to connect these, their identity management, protocols and data into a seamless solution is crucial.
- Manageability: A big challenge is managing a framework consisting of legacy solutions and open solutions--across data centers and the cloud. Further, any new solution must integrate with corporate reporting/analytics/BI tools inside the enterprise
5 Pillars of API
NANDIKOTKUR: How do CISOs leverage API management?
MANKOTIA: API Management is a set of processes and technologies that help enterprises meet their security and management challenges. It's important for security leaders to adapt to these five pillars of API management:
- Expose enterprise data and functionality in API-friendly formats;
- Protect information assets exposed via APIs to prevent misuse;
- Authorize secure, seamless access for valid identities;
- Optimize system performance and manage the API lifecycle;
- Engage on board, educate and manage developers.