APIs have been around for decades, but have lived in the realm of technical development and only recently moved away from relative obscurity to significant economic relevance. One of the early drivers of the API economy was Amazon's e-commerce web APIs. Over a decade ago, Amazon APIs turned rudimentary mom-and-pop websites into powerful commercial web
properties by providing a tap into Amazon's powerful commerce engine. Recently, James Parton of Twilio proclaimed, "APIs are going to be the driver for the digital economy and unless they [companies] are talking about APIs already, they will be left behind."
While APIs can stand alone as a discussion topic, for the purpose of this blog I'm putting them into a much larger context. We set the table in June, discussing how six IT trends impact identity and how each can make or break your business strategy. The discussion began with a webinar, Beyond the Firewall: How a New IAM Architecture Takes Your Business Forward (listen to the recording or read the white paper). Last week, I wrote a post expanding on the first of the six trends, cloud apps. Today, let's continue the discussion with APIs.
Some of you might be asking, "So what is an API, anyway?" An API, or application programming interface, allows one software application to interact with another, such as a retail store app utilizing Google Maps to show you where they're located. Here are just a few examples that make APIs indispensable in the mobile/web/Internet of Things world we live in:
Native mobile applications - Many of the most powerful enterprise mobile applications use APIs to access enterprise data and systems.
Social login - Facebook, Twitter and Google APIs streamline user experience, provide instant identity and give application vendors valuable demographic data.
Maps and directions - Google APIs allow you to embed Google Maps in your web application
HTML 5 applications - Great user experience from any device
APIs represent a huge market opportunity for many companies and can drive amazing revenue, as noted by a recent article in Forbes. "Salesforce.com, for example, generates nearly 50 percent of its annual $3 billion in revenue through APIs; for Expedia, that figure is closer to 90 percent of $2 billion."
APIs also represent a security risk that requires management. Gartner puts it this way, "In today's digital business world, where many sensitive and critical functions are deployed as services and exposed through Web APIs, API protection is an increasingly important task."
Unfortunately, most organizations have built their security perimeter around a traditional firewall architecture, where users inside the firewall are authenticated through web access management (WAM) products like CA SiteMinder. Although WAM solutions make internal web applications more secure, generally they do not secure APIs needed for native mobile applications and other web applications.
The best solution for managing access to APIs should have several key characteristics. They should:
Replace or extend existing IAM infrastructure to secure web and APIs.
Employ a standards-based approach that eliminates the need for local password storage on mobile devices.
Use a proxy-based approach with a central policy server for both web and API access.
So, how do you secure your APIs? How are you implementing authentication from native mobile applications? Does your existing identity and access management (IAM) stack support your future API needs?
Coming next week: BYOD and the Internet of Things (Iot) and the challenges they present for traditional IAM.