By Gary Zimmerman, TechVision Research
In part 1 of this API economy blog series, we described how companies are becoming API-first companies in how they are addressing the emerging API economy and how API management is key to the success of those efforts. Another key to success is addressing resource access and data protection policy decisions across the assembled APIs.
To capitalize on the API economy, enterprises must implement technology with the following capabilities:
- Collect APIs into Services and Expose Them: We referenced Stripe and Twilio examples in the last post. Those services are really collections of APIs that those companies chose to expose externally. The Cloudentity Authorization Control Plane allows enterprises to define, expose, monetize, and protect their own services as part of an API-first strategy. In terms of protection, Cloudentity moves well beyond traditional access models.
- Deploy a Dynamic Authorization Model at Scale: It changes the protection model to focus on resources being requested rather than who is asking, which creates an adaptive security model. For example, rather than basing access decisions on who and what, you could expand the context to include factors such as where the request is coming from, when the request is being made, and why the resource is being requested. The policies can be individually contextualized for the applications and can be invoked thousands of times per second.
- Externalize Security and Data Protection Policy Management: The solution externalizes access and privacy management to a dedicated tool with an administrative console, so developers no longer need to spend their time making security policy changes, and instead a security analyst or even an end-user can make security / privacy policy changes as necessary.
- Allow Changes at Runtime: Because the application security / privacy checks are separated from the application code, an application’s resource access or data protection rules can be changed while the application is running. There is no need to refactor code to enforce a new security / privacy policy change. For example, if a customer’s shoe size suddenly becomes PII, the rules around keeping and sharing shoe size can be applied without opening the application code.
Cloudentity’s level of dynamic authorization enables policy to evolve in real time, speeds time to market, and ensures consistency across all environments.
At TechVision Research, we see the management and security of Application Programming Interfaces (APIs) as a core strategic competence supporting the evolution of the Digital Enterprise. Proper and consistent resource access and data protection are critical to delivering the API-first experience. Done right, API management and security are a part of a Pragmatic Zero Trust approach to risk management. In the next series of posts, we’ll further define Pragmatic Zero Trust and its impact on digital risk.