Guest author Crispen Maung, Head of Information Security & Data Privacy at RapidAPI, shares insights
Companies are increasingly using application program interfaces (APIs) to rapidly develop and deploy innovative applications and services to support their businesses.
But APIs are not only a gateway to innovation; they can also serve as a gateway to security breaches. There is growing recognition that as companies rapidly innovate by building and deploying superior software and services via the creative use of data and SaaS providers, it is essential to have a well-constructed API strategy that incorporates a plan to have meaningful security and privacy controls .
According to a report from Salt Security, many organizations are delaying new application launches due to concerns about API security. Keeping your cloud and API ecosystem secure is an essential element of any API strategy. But few organizations understand how to effectively incorporate access controls and data privacy as part of their API strategy.
Leadership may view APIs as a path to extend the organization’s business capabilities and generate more revenue opportunities, and therefore direct development teams to build greater value.
Taking up the challenge, developers may leverage APIs to connect internal development teams and provide better services to the organization’s end customers. By connecting to external third-party companies, more value is added to the organization.
While the developers are adding greater functionality and capability to their organization’s cloud/API ecosystem, many aren’t paying close attention to information security or data privacy obligations across their cloud ecosystem. Each organization should know how the data is secured and processed and what it is being used for.
If not, the organization has potentially lost control of its data. If the data is misused, lost or unsecured, the advantages that an API strategy brings regarding the rapid development and deployment of applications and services, may be quickly wiped out
Here are four recommendations that can help your organization incorporate data security and privacy into its API strategy.
Control API usage
You should know which APIs are being developed internally, which are connecting to third-party suppliers, and which are being consumed. Pay attention to how your organization’s APIs are integrating with the various companies that come into your ecosystem.
Controls need to be strong enough to hold steady as you begin to connect via APIs to third-parties. While larger companies often have controls in place, the more vendors an organization uses, the greater the possibility that controls will weaken, leaving the organization vulnerable to a breach.
If your customer's credit card information is being accessed by a vendor, for example, it’s necessary to carry out a due diligence assessment of that vendor to ensure that credit card information has not been compromised.
Understand the security provisions for SaaS providers in your ecosystem
When connecting via an API to a SaaS provider, your organization is on the hook for ensuring that the data is held securely and used appropriately.
This is true for the software or service your organization is consuming or when partnering with another SaaS provider to offer an integrated solution using your API. You should ask your SaaS provider(s): “What kinds of security and data privacy controls are in place, and who is monitoring the effectiveness of those controls?”
Also check the reports that they are generating; not all reports carry equal weight. For example, a SOC 2 type 1 is basically a description of the controls and supports limited testing. A SOC 2 type 2 is supported by significantly more testing and validation. Additionally, review their Software Development Lifecycle (SDLC) processes, ensuring that the necessary controls and oversight are in place.
Furthermore, look at the experience and training of the developers and determine what they know about API security and if they have been trained on the OWASP API Security top 10.
Consider your customers’ security and privacy obligations and regulatory frameworks
If you are offering customers a service or software via APIs, ensure that your Information Security Management System (ISMS) is in place and includes the necessary data privacy processes and controls. It is not uncommon to overlook your customer’s security and privacy obligations and compliance requirements. By understanding these requirements, you are able to successfully navigate their due diligence process
Centralize control over your API ecosystem
Centralizing your APIs can provide the necessary oversight to deliver greater assurances around data security and privacy. It enables you to manage the development and control the consumption of APIs, and if done correctly provides an organization with oversight and control over data movement, while providing your developers the ability to easily connect with thousands of API.
APIs enable innovation and agility. But without an API strategy that includes strong and capable security and data privacy controls, businesses are putting themselves at great risk. By following these best practices and leveraging an API platform that centralizes your API’s, your organization can securely leverage APIs to their fullest advantage.
Written by Crispen Maung, Information Security and Data Privacy at RapidAPI.