Earlier this week we introduced the API economy and spoke about its relevance to the local market by publishing a post titled, “API economy: From systems to business services”. Today, we will discuss the cyber implications within the API economy.
APIs expose data, services, and transactions, creating assets to be shared and reused. The upside is the ability to harness internal and external constituents’ creative energy to build new products and offerings. The downside is the expansion of critical channels that need to be protected, channels that may provide direct access to sensitive IP that may not otherwise be at risk. Cyber risk considerations should be at the heart of integration and API strategies. An API built with security in mind can be a more solid cornerstone of every application it enables; done poorly, it can multiply application risks.
Scope of control—who is allowed to access an API, what they are allowed to do with it, and how they are allowed to do it—is a leading concern. At the highest level, managing this concern translates into API-level authentication and access management—controlling who can see, manage, and call underlying services. More tactical concerns focus on the protocol, message structure, and underlying payload— protecting against seemingly valid requests from injected malicious code into underlying core systems. Routing, throttling, and load balancing have cyber considerations as well—denials of service (where a server is flooded with empty requests to cripple its capability to conduct normal operations) can be directed at APIs as easily as they can target websites.
Just like infrastructure and network traffic can be monitored to understand normal operations, API management tools can be used to baseline typical service calls. System event monitoring should be extended to the API layer, allowing unexpected interface calls to be flagged for investigation. Depending on the nature of the underlying business data and transactions, responses may need to be prepared in case the underlying APIs are compromised—for example, moving a retailer’s online order processing to local backup systems.
Another implication of the API economy is that undiscovered vulnerabilities might be exposed through the services layer. Some organisations have tiered security protocols that require different levels of certification depending on the system’s usage patterns. An application developed for internal, offline, back-office operations may not have passed the same rigorous inspections that public-facing e-commerce solutions are put through. If those back-office systems are exposed via APIs to the front end, back doors and exploitable design patterns may be inadvertently exposed. Similarly, private customer, product, or market data could be unintentionally shared, potentially breaching country or industry regulations.
It raises significant questions: Can you protect what is being opened up? Can you trust what’s coming in? Can you control what is going out? Integration points can become a company’s crown jewels, especially as the API economy takes off and digital becomes central to more business models. Sharing assets will likely strain cyber responses built around the expectation of a bounded, constrained world. New controls and tools will likely be needed to protect unbounded potential use cases while providing end-to-end effectiveness—according to what may be formal commitments in contractual service-level agreements. The technical problems are complex but solvable—as long as cyber risk is a foundational consideration when API efforts are launched.