What’s in a (Security) Name? Turns Out, Plenty

“Who would claim to be that who was not? Hmm?”

This iconic rhetoric, from the 1987 film, “The Untouchables,” was delivered by Sean Connery’s street-wise policeman Jim Malone when he first meets Kevin Costner’s principled treasury officer Eliot Ness.

The highlight reel: Ness was upset that Malone didn’t investigate him further after discovering Ness, who identified himself as a treasury officer, was carrying a concealed weapon. As fans of the film know, the two ultimately form the titular group – The Untouchables – to battle Robert DeNiro’s Al Capone in 1930s Chicago.

While powerful movie dialogue, the answer to the question in the real-word is “plenty.” Vendors are constantly bombarding us with claims that users need to examine thoroughly instead of accepting as gospel.

In the consumer realm, Consumer Reports is a reliable ally. The nonprofit watchdog organization is a steadfast proponent of consumer self-education and frequently produces informative articles on how to decipher labels, particularly those that pertain to food products.

However, in the IT world, it can be more difficult to navigate vendor marketing-speak. That’s especially the case when it comes to security.

The ‘APIcenter’ of Modern Computing – and (In)Security

As we’ve discussed, APIs are the instrumental interconnection points – what we sometimes refer to as “the connective tissue” – of our modern computing architecture. A companion technology, Identity and Access Management (IAM), is also essential in providing the authentication and access control to APIs.

Enterprises understand APIs’ tremendous business value. Unfortunately, so do hackers.

2017 was a watershed year for API (in)security, and 2018 is shaping up to be even worse. High-profile incidents involving Reddit/Mailgun, Roku, Panera and, just this week, Google, continue to demonstrate that the security of APIs is a misunderstood and, far too often, unpracticed discipline.

Knowing (The Difference) is Half the Battle

To help security professionals implement a sound API and IAM security strategy, our CTO, Jason Macy, recently authored an Executive Insight column published in SC Media UK. In the piece, Jason cautions that “API security and IAM security…are starting to lose meaning by their association with vendor marketing that dilutes the definition of security.”

Further, he advises, “customers must look beyond the marketing statements to understand the difference between a security product and a toolkit” as well as frameworks and adapter-based solutions professing similar security claims. “Whereas a toolkit bolts on security” to an architecture that “is vulnerable to attack,” Jason continues, “an API or IAM security product is built with a secure, locked-down architecture with self-integrity checks to ensure the product itself is not able to be compromised.”

Emblematic of this distinction is the API Security Gateway. This technology, Jason states, is “where ‘Security’ means the literal, cyber-hardening of the Gateway product itself so that API and IAM enablement can be done securely and without risk of compromise.”

Last month, one of the central themes of Forum Systems’ annual London API Summit was examining the security shortcomings of toolkits, agents and adapters, and contrasting that with the comprehensive functionality of an API Security Gateway. Similarly, Director of Field Operations Greg DiFruscio also explored this topic in his “Combine API and IAM into a Simplified and Secure Architecture” session at API World 2018.

If you were unable to attend one or both of those events and would like to learn more, please contact us at info@forumsys.com.