API Security: The Big Picture

Application programming interfaces (APIs) have become a critical part of modern business. They allow businesses to be more competitive and to meet market pressures by pushing capabilities closer to customers and increasing the pace at which a company develops and deploys its applications. Therefore, it is no surprise that many security teams consider API security a top priority in the coming year. It is also no surprise that a host of API security vendors are clamoring for that business.

As with any market that is heating up, security buyers face a tremendous amount of noise, confusion, and, yes, marketing verbiage. Obviously, hype won't solve operational security problems. How can security buyers cut through the puffery and evaluate API security solutions? What are some important points to consider that often get lost in the noise?

In my opinion, it is helpful to consider the big picture, rather than just examine individual features or address issues tactically. Here are 10 strategic considerations when evaluating an API security offering.

1. Multiple Environment Capability

API security isn't very helpful if it doesn't work across multiple environments. We once believed that we would gradually migrate everything to the cloud, but what most enterprises find themselves facing these days is a complex hybrid environment consisting of applications and APIs deployed on-premises, in private data centers, and in multiple different cloud environments.

Managing this complexity has become a heavy burden on enterprises, greatly impacting their ability to adequately secure APIs. Thus, any viable API security solution needs to be able to manage that security across complex hybrid and multicloud environments.

2. Simplified Management

It may be tempting to purchase point solutions for API security for different environments, but this approach adds complexity and yet another tool to learn, operate, manage, and maintain. A better approach is to consider API security as part of an overall platform designed to simplify the management and security of hybrid and multicloud environments.

3. Simplified Deployment

Keeping APIs secure isn't only about defending against attacks — it is also about ensuring the API deployment is simplified and standardized. When it isn't, the potential for human error, oversights, vulnerabilities, and unknown/unmanaged API endpoints increase. It also introduces the risk of getting locked into a particular cloud environment, which necessitates migrating applications and APIs in order to move providers — a costly and tedious process that, if not done meticulously, can introduce serious security issues.

When seeking an API security solution, look for one that is part of an overall platform that also addresses the need to simplify and standardize deployment across multiple environments without getting locked into any one of them.

4. Uniform Security Policy

Policy is also an important part of API security, as is applying it uniformly and universally, in an environment-agnostic way. Uniform security policy application is another key component of the big-picture approach to API security.

5. Discovery and Remediation

Unknown/unmanaged APIs are a huge issue for enterprises. However, API discovery is only half of the battle. The other half involves remediation in the form of inventorying, managing, and securing those discovered APIs. All of this is easier as part of that big-picture API security approach.

6. More Than Just API Gateways

Unfortunately, while API gateway solutions are helpful, they are not sufficient. They do not protect against sophisticated attacks or help enterprises manage their APIs across multiple different environments. They should be incorporated as part of a broader, more strategic approach to API security.

7. Beyond WAFs

As with API gateways, Web application firewalls (WAFs) are also not sufficient against today's sophisticated threat landscape. A variety of security measures are needed to properly secure APIs, including protection against advanced automated attacks, fraud, and targeted attacks. Although WAFs are an extremely important tool, they need to be augmented by a more holistic API security platform that incorporates protection against the most advanced threats.

8. Threat Intelligence

The rate at which attackers learn, evolve, and hone their techniques is daunting. Simply put, it is hard to keep up, making integrated threat intelligence another important piece of the API security puzzle.

9. Visibility

Much of this article has focused on protective controls and measures, but security professionals know that they also need detective controls and measures. Continuous security monitoring and incident response require many tools, processes, and training, but they also require visibility in the form of telemetry data. No API security solution is complete without the ability to bring the big-picture component of visibility across multiple environments.

10. The Human Element

Last but not least, API security is not about technology alone. While the right platform with the right capabilities is quintessential to API security, so are having the right processes and the right team with the right training.

As tempting as it may be to focus on tactical features when it comes to API security, doing so is a strategic error. API security requires a holistic approach in which enterprises manage API security and all of the people, process, and technology around it. When security buyers evaluate API security solution providers, it is important that they take into account the big picture and plan for the gamut of issues that ultimately present themselves around the topic of API security.