Securing Your Applications and API Keys: An Organizational Guide
Building on an insightful dialogue at The European Identity and Cloud Conference, I had the privilege of sharing the stage with industry experts Ingo Schubert (RSA), Ward Duchamps (Thales Digital Identity and Security), and Mark Haine (OpenID Foundation). With stimulating questions from Martin Kuppinger and Mike Schwartz, we dug deep into contemporary topics. Continuing from our previous panel-related post, this post presents the next chapter of our in-depth conversation.
In our previous discussion on API discovery, we laid the foundation for understanding your organization’s application and API landscape. Once we’ve achieved this understanding, the subsequent critical step is securing these applications and API keys effectively. This blog post is intended to guide you through this essential process, using insights from our esteemed panelists.
Understanding the Importance of Security Awareness:
API security is not just a technical problem to solve; it also requires an organizational shift towards security awareness. Mayur Upadhyaya, Co-founder & CEO of Contxt, pointed out during our panel discussion that “there is a clear owner for identity and security, but who in the enterprise owns APIs?” This question underlines the challenge of API ownership within an enterprise and underscores the necessity for an organizational awareness of API security.
Recognizing the Potential Risks:
Without robust security measures, your organization’s APIs could be exposed to significant risks. Ingo Schubert, Global Cloud Identity Architect at RSA, cautioned that using a standard doesn’t guarantee security. “You can do a poor job implementing OpenID Connect and still be unsecure,” he pointed out, stressing the need for comprehensive security measures beyond merely adhering to standards.
The Role of Standards and Certifications in API Security:
While standards and certifications play an essential role in API security, they are not the be-all and end-all solution. As Michael Schwartz, Founder of Gluu, pointed out, the certification test suite that Open ID publishes is beneficial, but it doesn’t give you a level of assurance about security. Mark Haine, Distinguished Engineer at the OpenID Foundation, echoed this sentiment, highlighting the value of the OpenID Foundation’s test suite but also the need for organizations to contribute to its development.
Practical Steps to Secure Your Applications and API Keys:
With an understanding of the importance of security and the role of standards and certifications, what practical steps can your organization take to secure your applications and API keys effectively?
Martin Kuppinger, Principal Analyst at KuppingerCole, discussed emerging regulatory pressures. He highlighted the importance of organizations being able to demonstrate their compliance with a range of best practices, which are being applied more rigorously.
Alejandro Leal, Research Analyst at KuppingerCole, advocated for a layered API security approach. This approach can help manage API visibility, change control, and compliance integration. Ward Duchamps, Senior Product Strategist at Thales Digital Identity and Security, provided a complementary perspective, underscoring the importance of edge monitoring, multicloud security, and schema detection in improving your organization’s API security posture.
In summary, securing your applications and API keys is a multifaceted task requiring an organizational shift towards security awareness, an understanding of the limitations of standards and certifications, and the adoption of practical, robust security measures. By following the insights provided by our panelists, your organization can make strides towards a more secure API landscape.
Originally published at bycontxt.com on May 30, 2023.