Securing APIs with API Management

05. April 2020

 

Businesses across all industries are going through a fundamental shift in their IT transformation. Organizations start to realize the real value of digital transformation and it is no longer a buzzword. As most organizations are now focusing on the customer-centric views and ways of working, they need to be able to deliver their products and services seamlessly across all their channels. For IT departments this approach demands rapid deliveries of functionalities, top quality, and 99.99% up-time of systems and applications.

If APIs and API Management are new for you, we recommend you to read our introductory white paper on API Management first.

Unlock your legacy with APIs

However, in reality, this is hard to achieve. Most organizations own a lot of legacy systems, making it hard for IT departments to keep up with the pace demanded by customers. APIs play a key role to bridge the pace between the evolution of consumer applications and legacy systems. And with the arrival of the Microservices architectural style, organizations can now meet the demanding needs of the customer easily and comprehensively through APIs.

The Future of API Management

Are you new to APIs and API Management? We recommend you to read our white paper ‘The Future of API Management’ first. This white paper explains why it is crucial to invest in solid API Management and how it directly impacts business results. In today’s fully digital new reality, having a solid API Management platform is a must.

Securing APIs

However, this approach raises concerns about how to secure these APIs. Regulations as GDPR, PSD2, and many more, make it imperative that organizations invest time in securing APIs. This is where API Management can play a significant role.

Why you should secure APIs

Organizations realize the need to securely open up their APIs, but often face challenges with security needs and other complexities. Challenges often appear when integrating with different identity management platforms and single sign-on experiences. Furthermore, API security is not about access control to the API but also meant to manage fine-grain control over the data to be exposed to the consumer. This is where enterprise-grade API Management solutions help the business administrator, developer, and architects to secure that the API keeps information confidential and ensures that the data transmission will be secured against interception or tampering. 

Core security aspects of APIs

As APIs are getting exposed to the public internet world, it is necessary to ensure that they are not vulnerable to the denial of service attacks, man in the middle attacks, and potential misuse. A good API management solution will equip its organization with a wealth of threat-protection controls that will assure the availability and fidelity of the API and the communications it enables. This section outlines the different security patterns that are available to secure your backend APIs via API Management platforms.

The core security aspects to be considered while securing the APIs are:

1) Authentication

Authentication is a mechanism to prove who you are. In the context of API Management, it identifies and authenticates the end-user or end consuming application to access the backend API.

2) Authorization

Authorization is a mechanism to prove the rights of access control. In the context of API Management, it checks if the authenticated end-user or consuming applications have appropriate rights to perform the desired operation in the API.

3) Network-level controls / transport security

Network-level controls and security ensures the data in transit remains safely transferred between the legitimate parties. In the context of API Management, it ensures the confidentiality and integrity of the data in transit between the API provider and consumer.

4) Quality of service/Threat protection

The quality of service ensures that the service level agreement is met between the API consumer and the provider. The API Management platform ensures the right quality of service is maintained by enforcing API usage contracts to the consumers. In this way, the service performance, availability, and the denial of service protecting attacks are managed.

5) Content based security checks

Sometimes the message-content can be a handy tool for potential hackers to pose serious security threats by injecting malicious content in the actual payload. Using the right security policies, an API Management platform can identify those threats and protect the backend from security breaches.

More API Management related content

Reference case: API management at Liberty Global Inc.

Reference case: Eneco – using its Apigee API Management Platform the right way

Blog post: Why invest in API Management?

Blog post: API Management Platforms – How to select the right one

Blog post: API Management Architecture – An introduction

White paper: The Future of API Management

devoteam

Contact

Eelco Gelton

Community Lead API Management

Kuldeep Bhati

API Management Architect