Ask anyone in your enterprise what’s the most important criteria in measuring the success of your API’s and the response will be performance, performance, performance. The planning, design, implementation, publication, operation, and consumption of your API’s is all done with the end game of performance in mind. So where does security fit into that equation? Security has always been an afterthought. Why is that?
The answer is simple, it’s all about latency. Security has historically added an unacceptable level of latency to the transaction. For example, Twitter has billions of API calls per day, hundreds of thousands of calls per second. Twitter is an extreme example, but even small enterprises can have API’s with millions of calls per day. Using a traditional API management system and then trying to secure the access to it by adding a Web Application Firewall has proven not to be the answer because It adds unacceptable amounts of latency to the transaction. Fractions of a second times million and billions doesn’t add up for the enterprise. Also, WAF solutions are relatively dumb, they block requests, they let requests through. No context is offered as to the circumstances of the request which is needed to definitively determine if the request is legitimate or not.
In the McDonalds breach and other well documented data theft incidences the unprotected API has often proven to be the culprit as to the entry point into the enterprise. No access to an API should ever be granted without first knowing the who, what, where, when, why, and how of that request. Simply impossible to do using traditional API management platforms coupled with Web Application Firewall technology.
At aapi we designed world’s first API management platform that has enterprise grade API security built right into the platform.
This not only eliminates the latency issues found in current platforms but also adds a level of protection found nowhere else. Aapi facilitates point and click configuration of your security policies that allows you to implement rules-based security to enforce action based upon real time analytics of every request. aapi also applies the latest machine learning and AI to ensure that we not only offer the most advanced adaptive access controls available today but that we will always have the most advanced up to the second recognition of threats and take proactive as well as preventative actions today and tomorrow.
At RSA this year I sat down with John Dasher of ITSP Magazine to discuss API management and security. We discussed how the aapi platform deals with today’s challenges in both producing and consuming API’s and also the challenges in securing APi’s. If you have a couple of minutes the link to the interview is below.