One of the biggest reasons we adopt new technology, and justify the development of new technology, is we do not want to do the heavy lifting when it comes to what we already have in place. A common illness when it comes to API security that I’ve been battling since 2015 is that you will have API security addressed once you adopted an API management solution. Your APIs require API keys, and thus they are secure. No further work necessary. The unwillingness or lack of knowledge regarding what is needed next, leaves a vacuum for new technology providers to come in and sell you the solution for what is next, when you should be doing more work to use the tools you already have.
When it comes to API management, most vendors sold it as purely a security solution, and when companies implement it they become secure. Missing the entire point for why we do API management-—to develop an awareness of our API usage and consumption. Having keys for your APIs is not enough. You actually have to understand how those API consumers are putting API resources to work, otherwise your API security will always be deficient. Some of the fundamentals of API management you should be employing as part of your API security are:
- Registration - Make all developers sign of for API usage, establishing the terms of use.
- API Keys - Require all developers internal or external to use API keys for every application.
- API Usage - Which APIs are being used by all API consumers putting them to use in applications.
- API Errors - Understanding what the errors being generated are, and who is responsible for them.
- Logging - The logging of all API traffic, reconciling against what you know as reported usage.
- Invoicing - Invoicing of all consumers for their usage, even if they aren’t paying you money.
- Reporting - Provide reports on API usage for all stakeholders, to regularly develop awareness.
These are the fundamentals of API management, however API keys and tokens seem to be the part that people feel is API security. Where API security is really all about actually developing a real-time awareness of who is using your API resources. Leaving your finger on the pulse so that when anything changes, or error rates are elevated, you already have a base level of awareness and can easily respond by shutting off keys, or limiting overall access to resources by offending applications.
There is much more that can be done in the name of API security. This is just a list of the elements of API management that contribute to API security, which are often neglected. Having API management does not equal API security. Properly applying API management contributes to API security, it is never API security by itself. If you aren’t doing API management properly, you are more likely to fall for the next generation of API security providers who are machine learning focused, promising to do the hard work of managing awareness for you, so you don’t have to. Your unwillingness to do the work in the first place, and properly understand the role that awareness of your traffic, makes you a ripe target for selling the next wave of API security solutionism. Good luck with that!
