We’ve previously explored the growing importance of APIs to the business and their place in the traditional technology stack at layer eight. The relevant part for today’s discussion is this bit:
Value today is found in APIs and the way business and technology use them.
It’s not just that APIs are used to exchange data. Well-defined APIs describe processes – both business and operational – that enable automation and bring new efficiencies to how we develop and operate a business. Well-defined APIs are the digital representation of the business and expand opportunities to new markets and business models.
This is important because the processes – both business and operational - described by APIs are tied to two very important concepts in a digital as default world: ecosystems and marketplaces.
It is not hard to see that much of the digital economy today is driven by APIs. APIs enable sellers to participate in marketplaces. Those marketplaces are the shopping malls of the digital age, bringing together a diverse set of sellers into a single, accessible location to facilitate shoppers. Ultimately, this is achieved through APIs.
Even outside the digital mall, there is a growing ecosystem that enables independent businesses to participate in the digital economy. Delivery services, transportation, and restaurants are all increasingly using APIs to become a part of a digital ecosystem that allows consumers to purchase and pay for goods and services from the comfort of their phones at home.
Based on our estimation, the number of APIs worldwide (public or private) is already approaching 200 million.
The well-known platform for APIs, Postman, also saw incredible global growth of APIs in just the past year.
Over the past 12 months, Postman users signed in from an impressive 234 different countries and geographies while making 855 million API requests (up 56% from the prior year).
Inside the organization, APIs are also growing at an exponential rate. Whether it’s to enable infrastructure as code or automate development and deployment pipelines or as the primary means of integration between microservices, monoliths, and mobile phones, APIs are proliferating at a phenomenal rate.
And while that’s all good news and enables business of all sizes and shapes to participate in the digital economy, it also has consequences if APIs are not considered as the strategic asset they are.
Governing a growing API portfolio
As APIs continue to grow in popularity, it will become increasingly difficult for organizations to be able to effectively manage and control them. There are multiple considerations where governance is required, among them:
Versioning: This includes deprecation of APIs over time. Mismatches in API versions and capabilities can lead to broken processes and poor customer experiences. Failed transactions due to outdated APIs to financial institutions – including payment processers – can lead to denial of access when the invoking code is flagged as fraud for continued failure. Breakdowns in supply chains can be devastating to the reliability of services and subsequently negatively impact the entire business.
Bottom line: APIs are contracts, and as such, there are responsibilities designated to both consumer and provider. Organizations need to clearly manage versioning of APIs with an eye toward clear communication and the ability to support multiple versions at the same time if rollouts of updates will take considerable time. Clear documentation and communication is vital to the success of API ecosystems and marketplaces.
Access control: The ability to accurately identify the user of an API is critical in defending against fraud and abuse. This is particularly important in ecosystems where communication is app to app, such as payment processing for retailers and marketplaces. APIs are invoked by apps, and the process governed by apps, so the question is no longer "is the user a machine" because, of course, it is. The question is, "what does the behavior of this user tell me about their intention – it is abusive or fraudulent or legitimate?"
Bottom line: Organizations need to modernize their approaches to API security and incorporate both modern and adaptive methods of security, including behavioral analysis and content inspection. New approaches that allow access and invocation of APIs based on the risk associated with the user –beyond identity – will be critical to solving this problem at scale.
Secret management: Secret management is not peculiar to APIs, but its importance is magnified by the reliance of APIs providers on tokens and keys to establish authority to invoke an API. Amplifying the challenge of managing these secrets is the increasing movement toward digital services that span multiple channels – from mobile to web across multiple back-end applications – as well as multiple locations – from cloud to data center to edge. Too often, secrets are leaked in shared code across the web or easily gleaned from simple, client-side scripts.
Bottom line: We have, as an industry, relied upon traditional technologies to establish identity and determine access rights to just about every resource. As the number of APIs and the users that invoke them continues to expand, the number of tokens and keys that must be managed will become unwieldy. Dynamic authentication and authorization will be required to eliminate the use of ‘hardwired’ credentials, keys, and tokens to manage access to APIs
The API-driven economy depends on API governance
The term governance is all too often associated with security, but the reality is that API governance is a practice of establishing frameworks and guardrails that improve the development and operation of APIs. That includes versioning management and documentation as well as more security-related practices.
The key is those practices. No single tool will govern a growing API portfolio nor tame the growing beast that is API sprawl. Practice - and determination - to put in place the right tools, frameworks, and guardrails will enable organizations to move securely at speed as they increase their share of the growing digital economy.