You wouldn’t leave your front door open for the day, would you? That’s just common sense. This kind of security sense applies to a business’s digital assets too, however it may not be enforced as diligently. When it comes to protecting digital data, it all starts with being aware.
If you are making API services available to customers and partners anywhere, it’s more important than ever to do so with the right balance of security and availability. Compare your approach to the nine best practices below and learn how to strike the right balance.
Be creative and inventive without putting data at risk
API access control and policy rules let you be transparent without compromising corporate security and regulatory compliance.
Give developers access to common services for seamless cloud integration
Implement a consistent API-centric integration layer for cloud-to-ground data exchange, and ensure that existing identity services are extended to new cloud applications.
Know how data and services are being accessed from everywhere
Use your API platform as a central point for governing the flow of data to and from the cloud and mobile apps, between business applications, with partners, and across customer-facing services.
Prepare for the dreaded IT or security audit
Use application and API management platforms to maintain irrefutable and actionable information about how your IT services interact with on-premise, cloud and mobile apps and service
Protect all APIs — even internal APIs — against hijack and attack
Add security measures to safeguard the API service control layer and block common web API (REST and SOAP) attacks.
Guarantee service-levels for both internal and external customers
Allow business and technical users to measure, monitor and act on changes in performance or demand.
Think of security as a window, not a wall
With the right security in place, you can open up data to mobile access, cloud integration and partner collaboration. Use identity management infrastructure along with API-specific identity patterns (OAuth, for instance) to provide safe access to APIs.
Separate service exposure from policy enforcement
Give API developers a suite of standard and reusable policy rules that can be easily applied to micro-services that represent the specific needs of a given application.
Protect back-end services from unusual traffic patterns
Set limits and expectations for API services and their consumers to manage scale and traffic expectations, and protect back-end services from malicious activity.
Final thought
One of the main issues with the battle between availability and security is the misconception that these cannot coexist. Security should be a consideration in each and every business process, while organisational processes and end users should always be on the collective mind of security practitioners.
Vince Padua is VP Platform Innovation and Technology at Axway.