In one episode of the television show This Old House, a homeowner needed to install a new electrical outlet. As he began to peel back the existing wallpaper it revealed another layer of wallpaper. Underneath the newfound layer of wallpaper was another and then multiple layers of paint before he was able to get to the original plaster wall. Once through the plaster they found a plethora of unidentified cables, electrical wires, gas lines and pipes. It could have been a nightmare without bringing in someone with the right expertise who could navigate the house’s infrastructure and bring it up to code.
So often in the enterprise IT environment, we build multiple layers of technology on top of each other. This can be good – for example, multiple layers of security help to protect systems and users. However, at some point, IT managers, developers and architects need access to the data and APIs— the plaster and wiring— that enable access to data and applications both inside and outside the corporate firewall in order to deliver new functionality and apps.
Created as one-off projects, custom code that provides access to a single API ends up adding to the wiring behind the firewall and creates unneeded complexity. This complexity only grows as cloud and mobile initiatives are implemented, modern app service architectures are put into place, and the number of APIs that apps must access exponentially increase.
This loose network of APIs sprawled across the enterprise can present serious challenges for enterprise app architects and developers who have to find a way to secure access to and from these APIs. Providing access to the plaster of data and application functionality to users and applications can help an organization transform its business and clear the path for new revenue streams.
This old house host, Tom Silva, said, “I don’t like going over anything old, whether it’s a roof shingle or wallpaper. Take it off and see what’s below. If it has to be fixed, fix it.”
While we don’t recommend ripping out good work that you’ve already done, we do recommend putting in place a proper API infrastructure that takes into account future growth and is scalable, agile and secure.
But how do you create such an infrastructure?
Build a Strategy
Because APIs provide access to applications and data, a well thought-out strategy should be created and implemented. This strategy should include input from key stakeholders and further the vision of the business. It should enable the company to deliver on corporate goals and growth plans. The strategy should determine the best solution for exposing APIs and data in the most secure way, allowing for scalability and future growth. Much like building a house, this strategy will provide the blueprints to make the program successful.
A significant part of the strategic planning process should be devoted to evaluating API gateways. Choosing the right API security solution will help speed the time of development as the company creates new applications with access to backend data.
Just as the wiring of a house should be somewhat future-proof, so should an API strategy.
Manually coding security requirements to access APIs is slow and tedious. In a world where agility is mandatory, this simply won’t work. Nor will using the API Management solutions, which can have serious security issues such as allowing the installation of unsafe custom code. Just as you can’t punch a hole in the wall every time you want to add an electrical outlet, you shouldn’t punch a hole in your firewall for every application. As such, evaluate systems that can scale their access to backend systems by providing a single point of access and integrate with current systems with minimal disruption.
Determining who will have access to back end data is an equally important part of the strategy. Providing access to employees, partners, customers and other stakeholders can expose some risks. It is likely that a combination of private and public access is required, so monitoring and reporting becomes essential to ensure system security.
It should go without saying that any strategy or solution must work with the current security architecture requirements, but this is often overlooked until just prior to implementation. To do this, a detailed scope, should be created that outlines all aspects of security required. In addition, solutions must be evaluated to ensure they integrate with your identity management system.
Wherever possible, security protocols should exceed corporate requirements. If the solution uses compromised standards like OpenSSL, don’t use it. Make sure that the solutions core code is certified. Finally, hardware-based cryptography is almost always the most secure option.
Evaluate and Optimize
While implementing your API infrastructure you may find and expose wallpaper, layers of paint that are no longer needed and unsafe wiring. If you have custom code and other solutions in place that are not as secure as they should be, the time to change them is when implementing your API strategy.