It’s imperative for enterprises to deliver security built into the API channel. It has to protect the whole digital supply chain, end-to-end, from apps to APIs to backend services. In recognition of this, Apigee recently took two decisive steps to extend and strengthen our already strong security expertise and security operations team: we hired Subra Kumaraswamy and Tim Mather.
Enterprises are rapidly adopting APIs, and a majority will use a cloud-based deployment by 2015. With the new "mobile-first" and "API-first" mindset pervading businesses, what does this all mean to information security organizations? How can they enable a business strategy while protecting information exposed to internal and third-party developers via APIs?
A cause of concern when establishing partner and open APIs often lies in the notion of exposing corporate data to an ecosystem of developers outside the enterprise. But the risks that crop up from not building a digital products portfolio are significant.
With media reports of hacker incidences, stolen credit card numbers, and identity theft, consumers are understandably concerned about information security. We want absolute assurance from businesses that our credit card numbers and other personal information is secure. Payment Card Industry’s Data Security Standard (PCI DSS) defines the standard for securing cardholder data, wherever it is located. Apigee recently completed an annual audit and PCI recertification verifying that we continue to meet the Credit Card industry requirements for information security.
The question of whether OAuth is an effective mechanism for securing back-end resources comes up from time to time. Recently, an API developer asked whether OAuth is the right solution to secure an API that he plans to make available for mobile app development. All great questions to ask as you consider opening up your API. My take is as follows: If you are working on an API that will be used by third party developers, then there is no magic bullet that will prevent developers from using your API in bad ways. However I think that OAuth 2.0 helps you reduce the risk.
As enterprises adjust to the new reality of business having moved beyond their core and legacy systems of record - to millions of mobile devices and social networks at the edge of the enterprise, to new distribution channels in the shape of apps which are often built by third party or partner developers - the question of end user privacy becomes increasingly important. As the app economy matures, it’s participants will have to quickly move from self governance to establishing standards or even regulation to address end-user privacy expectations.
Who is responsible for security and privacy when...
Thanks to all for your interest and participation in our OAuth 2.0: Don't Throw the Baby Out with the Bathwater Webcast on August 2nd. You'll find the video and slides here. There were several questions that we didn't get a chance to address in the hour so we'll follow up on them here. And we'd love to continue the conversation over on the API Craft Google group.