Brilliance Security Magazine had the distinct pleasure of sitting down with Ashish Vaid, Vice President of Technology for Akana, at the Black Hat 2015 conference in Las Vegas. His enthusiasm for and in-depth knowledge of the use, growth, direction, and security issues related to APIs was quite impressive.
Many companies are addressing the new digital economy by making data and applications available as APIs. APIs are used in mobile applications, cloud applications and the Internet of Things (IoT). While APIs connect companies with mobile apps and a large community of developers, these APIs also need to be scalable, reliable, and most importantly secure. Mr. Vaid says “as more and more businesses start monetizing their resources, through digital channels, they need to become more vigilant about security and protect their APIs against threats and hacks.”
He points out that the API is a major point of vulnerability, given its ability to offer programmatic access to external parties with few organically available controls. Security, therefore, is an essential element of any organization’s API strategy.
He explained how B2C (Business to Customer), B2E (Business to Employee), and B2B (Business to Business) interactions all require secure APIs for integration with mobile apps and even custom devices. He illustrated this point with the example of a large airline. Airline customers are no longer satisfied with interaction only through a website. They insist on access to a well designed mobile application. Employees of an airline are likely to use custom devices that need access to passenger lists and other sensitive data. And lastly, business partners such as hotels and rental car companies need to exchange customer data and purchasing habits to effectively provide their services to the shared customers.
So what about security for these data channels? Mr. Vaid points out that understanding web security is not the same thing as understanding API security. While web security focuses on web access, API interactions are a lot richer and reach deeper into the enterprise. While API security shares a lot of aspects that are common to both website security and network security, it is also fundamentally different both in terms of usage patterns as well as the unique areas of additional risks that APIs are susceptible to. For instance APIs move the boundary of interaction from the web tier to the backend applications and data sources. He claims that businesses that underestimate API security are paying the price or, more importantly, their customers are paying the price – often in stolen personal information.
When pressed to explain how Akana provides API security Mr. Vaid used the items – such as pen, paper, and business cards – found on the table at which he sat for the interview to illustrate how the Gateway sits between the mobile app and the API. He explained that the Gateway, which can be deployed either on-premise or in the cloud, provides security through its authentication, authorization and audit capabilities. He says the API Gateway solution streamlines management, deployment, development and operation of APIs and enables enterprises to standardize API and service delivery with high security, performance, and availability.
Ashish was quick to point out that while API security is critical, Akana offers a complete API management platform. This API management platform accelerates outreach across digital channels, drives partner adoption, monetizes digital assets and provides analytics to optimize digital transformation.