Source: Sasin Paraksa via Alamy Stock Photo
APIs have become a critical part of modern business. They allow businesses to be more competitive and to meet market pressures by pushing capabilities closer to customers and increasing the pace at which a company develops and deploys its applications. Given this, it is no surprise that API security is a top priority for many security teams in the coming year. It is also no surprise that a number of different API security vendors are clamoring for that business.
As with any market that is heating up, security buyers face a tremendous amount of noise, confusion, and yes, marketing verbiage. Obviously, hype won't solve operational security problems. How can security buyers cut through the hype and evaluate API security solutions? What are some important points to consider that often get lost in the noise?
In my opinion, it is helpful to consider the big picture, rather than only examining individual features or addressing issues tactically. Here are 10 strategic things to look for in an API security offering.
1. Multiple Environment Capability
API security isn't very helpful if it doesn't work across multiple environments. We once believed that we would gradually migrate everything to the cloud, but that never happened in most enterprises. What most enterprises find themselves facing these days is a complex hybrid environment consisting of applications and APIs deployed on-premises, in private data centers, and in multiple different cloud environments.
Managing this complexity has become a heavy burden on many enterprises and has greatly impacted their ability to adequately secure APIs. Thus any viable API security solution needs to be able to manage that security across complex hybrid and multicloud environments.
2. Simplified Management
While it may be tempting to purchase point solutions for API security for different environments, this approach only adds complexity and yet another tool to learn, operate, manage, and maintain. A better approach is to consider API security as part of an overall platform designed to simplify the management and security of hybrid and multicloud environments.
3. Simplified Deployment
It is important to remember that keeping APIs secure isn't only about defending against attacks — it is also about ensuring the API deployment is simplified and standardized. When it isn't, that opens up the potential for human error, oversights, vulnerabilities, and unknown/unmanaged API endpoints. It also introduces the risk of getting locked into a particular cloud environment, which necessitates migrating applications and APIs in order to move providers, a costly and tedious process that, if not done meticulously, can introduce serious security issues.
When seeking an API security solution, look for one that is part of an overall platform that also addresses the need to simplify and standardize deployment across multiple environments without getting locked into any one of them.
4. Uniform Security Policy
Policy is also an important part of API security, as is applying it uniformly and universally, in an environment-agnostic way. Uniform security policy application is another key component of the big-picture approach to API security.
5. Discovery and Remediation
Unknown/unmanaged APIs are a huge issue for enterprises. However, API discovery is only half of the battle. The other half involves remediation in the form of inventorying, managing, and securing those discovered APIs. All of this is easier as part of a big-picture approach to API security.
6. More Than Just API Gateways
Unfortunately, while API gateway solutions are helpful, they are not sufficient. They do not protect against sophisticated attacks, nor do they help enterprises manage their APIs across multiple different environments. They should be incorporated as part of a broader, more strategic approach to API security.
7. Beyond WAFs
As with API gateways, Web application firewalls (WAFs) are also not sufficient against today's sophisticated threat landscape. A variety of security measures are needed to properly secure APIs, including protection against advanced automated attacks, fraud, and targeted attacks. While WAFs are an extremely important tool, they need to be augmented by a more holistic API security platform around them that incorporates protection against the most advanced threats.
8. Threat Intelligence
The rate at which attackers learn, evolve, and hone their techniques is daunting. Simply put, it is hard to keep up with the pace, making integrated threat intelligence another important piece of the API security puzzle.
9. Visibility
While much of this article has focused on protective controls and measures, security professionals know that they also need detective controls and measures. Continuous security monitoring and incident response require a great many tools, processes, and training, but they also require visibility in the form of telemetry data. No API security solution is complete without the ability to bring the big-picture component of visibility across multiple environments.
10. The Human Element
Last, but not least, API security is not about technology alone. While the right platform with the right capabilities is quintessential to API security, so are having the right processes and the right team with the right training.
While it may be tempting to focus on tactical features when it comes to API security, it is a strategic error to do so. API security requires a holistic approach in which enterprises manage API security and all of the people, process, and technology around it. When security buyers evaluate API security solutions providers, it is important that they take into account the big picture and plan for the gamut of issues that ultimately present themselves around the topic of API security.