Applying Access Management to Your API Strategy

by in Security

As organizations continue to participate deeper in the growing API economy, they run the risk of taking a siloed approach to securing their APIs. Micro Focus Access Manager enables organizations to build a security layer around their most important and vulnerable digital assets.

The move to microservices

The term microservices denotes environments where applications are pulled together from granular software services and components, each of which supports a specific business goal. The momentum to services has been building for years, but today it is in full gear. The business result has been dubbed “the API economy.” Microservices allow developers to eliminate several inefficiencies in the development cycle. In addition to the multiple technical advantages this new paradigm of development offers, at a higher level microservices allow businesses to move away from the monolithic applications and the complex scheduling required to coordinate updates, and move toward interdependent components that allow these businesses to more quickly deliver services that function reliably.

The API economy

For those who are unfamiliar with computer programming, an API (short for application programming interface) allows different software components to communicate and share data with each other according to a set of clearly defined methods of communication. It’s from this foundation that the different components of monolithic applications are built, as well as the intercommunication between applications and systems. For example, APIs allow partners to communicate and share information across a variety of systems and databases.

The API economy, then, is fueled by the business value gained by sharing application programming interfaces where the APIs enable an organization to quickly offer new services to its employees or external users (partners and consumers). So, how is this value being realized? Information and processes contained in microservices are delivered via APIs, allowing for faster development, consumption and especially synergies with other microservices. The number of public APIs doubled within an 18-month period leading up to 2015 and, since then, that number has grown from 10,000 to as many as 50,000 today.

The API Economy.PNG

Digital transformation is good news for the consumer

As mentioned in the previous section, the growth of the API economy is being fed by a list of business advantages that are more than just internal, but even outward-facing. Take for example government and utility agencies that have applied digital transformation to their record-keeping and storage. This infrastructure of services allows homeowners to receive and pay their household bills online. It’s not only fast and convenient, but they can access their records at any time via a simple online search. This increased efficiency is driven by fact that organizations are developing their services faster with higher reliability, and the ability for consumers or partners to consume them is dramatically enhanced as well: information flow is expanded, paperwork is decreased, and overhead costs fall. 

New opportunity for criminals

As this new model of access and integration kicks into full gear, you will see large-scale mashups leveraging the power of hundreds of APIs as they are used to connect and share data across microsystems of all shapes and sizes. These silicon-based interactions are commonly occurring beyond protected intranets over publicly available cloud-based resources, which leads to Gartner’s intuitive prediction that “by 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise web applications.”

As APIs continue their expansion throughout mission-critical business processes, securing them has become paramount, which leads to the question of what type of security is best suited to protect them against outsiders? As organizations evaluate this question, there is a compelling argument to be had that microservices merit the same level of security that organizations have implemented for users. For users, organizations have commonly relied on more than what has been granted for access control, often measuring the context of each request (location, device, time, etc.) and imposing strong authentication method(s) as needed. As their use and exploitation continue to grow, microservices merit that same level of access management.

Securing your APIs with Access Manager 

With today’s current focus on beefing up the security of the APIs themselves, you may wonder what added benefit you would get from using Micro Focus Access Manager. The answer is that Access Manager offers many of the same delivery and security services for APIs as it does for user-based systems. In short, the quickest way to encapsulate APIs that need an added layer of security is through Access Manager’s gateway. Inserting the gateway allows the API to gain any of the security inherent to Access Manager:

  • Minimize vulnerabilities by consolidating access to APIs to reduce the surface attack area for all protected services
  • Enforce centralized, policy-based access control
  • Provide up-to-date TLS capabilities
  • Accelerate performance by caching frequently accessed content
  • Centralize logging, monitoring, and analytics for quicker detection and forensic analysis of nefarious access
  • Provide integration with Identity Server for services that don’t have the ability to do so directly on their own

In their annual breach report, Verizon verifies that the greatest risk to the security of microservices spans far beyond hacking a specific API vulnerability, and that the most common breaches occur through masquerading as an authorized request or unduly exposing a service as a result of uneven access policies. Micro Focus Fortify and Micro Focus Access Manager allow organizations to secure their microservices at both levels.


Identity & Access Mgmt