Today's era of computing and technology has evolved into a complex set of internet-based interactions between consumers (clients) and providers (services). In order for businesses and organisations to succeed today, they must take a modern approach to data and information exchange, requiring them to expose business APIs (ie functional services accessible from a network). Each API represents a set of capabilities that can be called and used for some purpose, providing access and integration to services such as mobile services, B2B services, web portals, online banking, retail (on and offline) and virtually every other form of modern information exchange.
From our experience of working with customers all around the world, we have found that the UK understands the need for a modern, secure architecture better than most and has adopted it far more rapidly than other nations, most likely due to its centralised location, high population density and high-profile security drivers.
The UK's geographical location has contributed to its role as a central hub for millions of people to come and go from many different countries via several different methods of transportation. In order to keep track all of these people, the UK is constantly exposing APIs to integrate all of its borders and government agencies. And, because of the sensitive nature of the information being exchanged, the UK places the highest security around these integrations. In addition to the UK's central location, the high population density further helps to foster more social collaboration and sharing of best practices on API security among IT security professionals. This social collaboration has led to increased adoption of what we call the “security-first mindset”.
Now, let's look a little more closely at how the UK achieves its secure and agile IT architecture within this security-first approach. When exposing APIs, organisations must decide how their APIs are exposed. This poses the common dilemma between business efficiency and the security risk of enabling access to an API. The decision that is made here, very early on in the process, has a substantial impact down the road, not only on risk exposure, but also on risk mitigation. All too often businesses approach API exposure with a functionality first, and a security second mindset. As a result, typical API management platforms are primarily designed to provide simplified integration and exposure of APIs, without much thought to the protection of runtime communications. Any company that decides to enable rapid exposure of APIs without considering the security implications will quickly join the ranks of the many other public companies in the news about their latest data breach.
The ability to perform the access control and data security assessment of API information is not provided with traditional security infrastructure components such as firewalls, application firewalls, and intrusion detection systems. To accomplish API role-based and content-based access control, it must be built into each application manually or via a centralised technology that performs these functions. The centralised approach to secure architecture design is accomplished via an API security gateway. API security gateways allow edge-based deployments where the security and identity decisions can all be made at the network edge, rather than at the services themselves (as is typically the case). This removes the need for application coding and agent-based adapters. The special capabilities of an API security gateway enable an agile approach to identity enforcement, access control, and security controls that can be uniformly applied across business APIs.
Many UK businesses and government organisations have already achieved secure architecture design using API gateway technology. As a result of its central location and population density, the UK has a deeper awareness of the need to properly secure its APIs. The APIs it exposes are mission critical and must never be compromised.
As more and more secure and agile deployments are successfully implemented across UK commercial and government entities, the growth trajectory of API security gateways will continue to rapidly expand. Through secure architecture design, the UK will continue to lead the way in API security, enabling organisations to focus on their core business objectives securely.
Contributed by Jason Macy, CTO, Forum Systems
(UK distribution partner, ASM Technologies)