Don’t let API risk keep you from API opportunity

Were you one of the hundreds of thousands of people who moved your workouts to the basement with a Peloton in the last 2 years?  Guess what – you probably shared your personal information with the world. Or maybe you had to start using a mobile health app to communicate with your doctor.  Your sensitive data could have been accessed through leaky APIs. Even your LinkedIn account information – name, phone numbers and physical addresses – is now offered for sale on the dark web after a breach in 2021. 

But the common problem with APIs isn’t the APIs 

These security flaws have one thing in common; they all stem from APIs that hadn’t been properly configured, protected and deployed. APIs are a primary point of attack for hackers, and according to an IBM report published in 2021, 2/3 of incidents analyzed involved improperly configured APIs. 

As a zero-trust environment, the cloud has introduced additional risk.  Over half of cloud breaches have occurred due to “Shadow IT.” These are internal unauthorized systems created to solve a specific problem which may not have received standard vulnerability and risk assessments and may not have hardened security protocols. APIs created without centralized supervision and IT management are sometimes called “Shadow APIs.” 

Why APIs are vitally important 

There’s lots of motivation for API-based solutions given how versatile and powerful they can be. Customers are asking for self-service, easier to use tools; APIs are the ideal way to create them since they offer a standard way to access data and services. IT is being asked to scale the business; APIs are optimal for omnichannel solutions that deliver the same services in different technologies, whether mobile, online, or in person. eCommerce, or the ability to conduct business online, has exploded over the last few years with new capabilities like online delivery services. These can easily be replicated in multiple geographies (without replicating the effort) by using APIs. Executives need even more visibility with universal data accessibility for strategic planning. With the right underlying connectors, APIs can expose data from virtually any system, anywhere. 

The right API management platform makes the difference 

But as APIs multiply, you’ll need a way to govern and protect them and the data they expose. Because while the opportunity is significant, the danger is inescapable. 

And if you’re holding off on committing to major API initiatives because of these things, you have lots of company.  API security vendor Salt Security finds that 62% of businesses are actually delaying application rollouts due to API security concerns.  Security may be top of mind, but there are other considerations as well.  For long-term reliability, it’s important to be able to automate the development and deployment of your APIs. To get the value you’re expecting from an API investment, they need to be managed across a life cycle that includes deep engagement with API consumers and visibility into usage. And as your API collection grows, you’ll need governance to ensure consistency and compliance with IT guidance.  Without control and visibility into how APIs are created, secured, published and used in products and solutions, businesses risk losing ground to competitors and may even experience customer churn. 

Regardless of risk, the use of APIs in critical projects is increasing. According to a recent survey of 1,150 IT decision makers, 86% of businesses are using them for digital transformation projects (up 7% vs. 2021), 85% for innovation (+8% vs 2021), and 84% for modernization (+11% vs. 2021).  So why do businesses continue to roll out new API-first solutions? It’s all about their massive potential for business growth and transformation. 

With the right API management solution in place, the upside is significant. webMethods API Management enables you to manage the entire life cycle of planning, designing, developing, securing, monitoring and sharing APIs for developers, partners and customers so you can treat your APIs as the products they have now become.  Our platform comes with support for all authentication standards and advanced user-based security that’s easy to configure visually, and we partner with major API security vendors for cloud-specific API threats. We can fully automate deployments with our “everything-as-an-API” approach for frequent, low-risk releases. You’ll have centralized visibility, management and control not only of your APIs but also microservices and service meshes for cloud-native apps.  There’s rich collaboration for creating a custom community that promotes and markets your APIs. And you’ll be able to track API usage and define plans and packages for multiple API value scenarios. 

Balancing your API strategy 

Here’s the bottom line: When it comes to your API strategy, there are two dangers that can be equally perilous. First, from those who are overzealous. And second, from those who are underzealous. (Is that a word? If not, it is now!) 

The overzealous crowd creates APIs, because they see the opportunity to use them to build new business models etc. And bless the go-getters. But often they take a cavalier, shadow API approach that creates as much risk as it does opportunity. We know that APIs can introduce security concerns – but often it’s these shadow APIs created by ambitious innovators operating outside IT’s oversight, circumventing best practices in the interest of failing fast. 

On the flip side, the underzealous crowd doesn’t create APIs, because they are aware of the risk and know (or at least believe) that doing APIs the right way is hard. The fear of data breaches or lack of control means their default answer is “no,” or at least “not now.” The problem is that this creates an equally perilous risk – of missed opportunity and revenue.  

The good news is that a proper API Management platform can keep up with the aspirations of the overzealous while practicing the pragmatism of the underzealous. Then we can all just be perfectly zealous.