4 Reasons to Make API Security Your Business’s New Year’s Resolution

It’s time for New Year’s resolutions—when our best intentions and brightest optimism briefly shine, often to be crushed a few weeks later by the practical reality that almost everything is harder than we think it will be.

For enterprise executives, those resolutions may look something like this:

  1. Use technology to accelerate the business.
  2. Don’t cause a big security breach.
  3. Eat healthier.

I can’t help with number 3 (I love cheeseburgers and that’s never changing) but the first two might be more achievable than they at first appear.

Yes, moving fast while maintaining security isn’t always easy—which is why, in addition to inspiring New Year’s ambitions, these goals have also caused more than a few executives sleepless nights. But both of these resolutions can be served by another, less obvious one: Leverage the API layer.

Here are four reasons why.

1. Web-era techniques won’t effectively protect your business.

Many techniques from the web era, such as applying a web application firewall, are no longer sufficient, and companies that still rely on them should update their defenses.

While firewalls enable a company to, among other things, block specific IP addresses known to be used by bad actors, they can still be relatively blunt tools whose sophistication doesn’t always match that of modern attackers. For example, a firewall-oriented technique could disrupt legitimate users by heavy-handedly blocking all traffic from a particular geography or service provider.

Likewise, many companies are used to bolting security onto each channel—mobile, web, etc. This approach is becoming less tenable as the variety of user interfaces and channels continues to evolve more rapidly, making it costly and time-consuming to customize security solutions for each one.

Indeed, users increasingly expect cohesive experiences that seamlessly translate data across apps; across mobile, desktop, and wearable interfaces; and across physical and virtual spaces. Channel-specific security can lead to inconsistent user experiences—not a good approach for any business hoping to keep up with increasingly digitally-empowered customers. Worse, channel-specific security can give the appearance of enhanced protection on a channel-by-channel basis while leaving vulnerabilities exposed as the channels are forced to interact.

Simply put, security techniques that were IT cornerstones just a few years ago are often no longer up to the job. Businesses need modern approaches—and those approaches start with APIs.

2. API-first architectures provide a foundation for both agility and security.

API-first architectures are a popular modern approach for prioritizing security while also adapting to changing user needs and the accelerating pace of business.

Modern business isn’t conducted via massive monolith apps—it’s conducted across an increasingly heterogeneous variety of databases, cloud services, and more. In an API-first architecture, application programming interfaces, or APIs, are the mechanism all of these systems, apps, data, and functionality use to communicate. APIs abstract the complexity into a consistent interface that lets developers quickly and easily tap the underlying business resource. In this way, APIs turn business resources into leverageable digital assets and act as products for developers. As the people who translate digital assets into valuable new apps, services, and experiences, developers—both internal and external—occupy a special role in any API-first strategy.

In contrast to previous techniques that tried to apply security to each channel, deploying security across the API layer can be very effective because the layer connects most or all of a company’s channels.

3. APIs can promote great experiences for both developers and end users.

By building security features such as authentication and threat protection into APIs, an enterprise can enforce consistent protection mechanisms and user experiences across channels.

APIs can be customized to the needs of specific user groups. Single sign-on capabilities might be implemented differently depending on whether the user is internal or external, for example. Or a business might make less sensitive APIs widely available, increasing the surface over which developers can leverage them, while restricting more sensitive data to APIs that can only be accessed with certain credentials.

The potential use cases are numerous, but the point is, APIs allow businesses to remain agile and responsive to user preferences, manage security in a consistent way across all channels, and promote a consistent user experience even as backends become more diverse and complex.

4. The API layer can support smarter, more proactive security techniques.

Unlike legacy approaches that can clumsily block all traffic from a given IP address, APIs can produce more fine-grained analysis and defense, using a combination of factors to tune responses to the appropriate scope.

Security-minded companies can manage their APIs with algorithms that monitor traffic in near-real time and identify suspicious behavior, such as a user attempting to log in from a geography where the business has no stores or a burst of users—or more likely, bots—failing authentication attempts at the same time. This sort of constant, behavior-based analysis can be the difference-maker when it comes to stopping fraudulent transactions, thwarting bots or keeping the business running during a DDoS attack.

Don’t Neglect API Security in 2018

The API layer is where transactions happen, where a business’s assets—systems, data, apps, functions—interact with one another and with software from the outside world. These interactions not only facilitate value but can also alert a company when bad actors are up to something.

To start the new year off right, it’s wise to ensure that you are designing your APIs with security in mind, baking in authentication and other protective features. Don’t neglect the rich analytics, monitoring, and blocking capabilities that the API layer can support. 2017 had its share of API-related security mishaps. With the right planning and perspective, you can decrease the odds that your company becomes one of these cautionary tales in 2018!