Identity, Application security

Why combining API protections with identity access controls makes companies more secure

Today’s columnist, Topher Marie of Strata Identity, writes that security teams need to combine API protections with a solid identity management solution like Microsoft’s Active Directory. (Photo by Tim Heitman/Getty Images)

Few recent advances have had as big an impact on computing as application programming interfaces (APIs). Although they may not be as sexy and exciting as other disruptive technologies like smartphones or clouds, these chunks of code—essentially defined sets of rules that connect applications—are the glue that holds modern business frameworks together.

Today, APIs connect a disparate array of systems, devices, and applications. They make it possible for organizations to connect and share functionality across vendors and outward to a supply chain. Yet the growing complexity of these environments also introduces identity challenges. It’s critical to know that APIs are secure and that only those authorized to use the application have access to it.

It's no simple task. Basic authentication methods lack the level of protection required for today’s interconnected world. In addition, many tools cannot deliver the granular level of control, or they simply don’t work across groups of APIs. These shortcomings have real-world repercussions, namely once a user logs into an API they’re pretty much free to do whatever they desire.

All of this points to a need for a more sophisticated API identity management. One that can manage and control APIs—and the risks they introduce when organizations rely on a mix of vendors and technologies. When businesses have the right strategy and technology in place, it’s possible to construct a foundation for secure API interactions inside the business and beyond.

Make connections count

No one doubts the value of APIs. They have emerged as an indispensable tool for businesses of all shapes and sizes. Yet, as they accumulate, challenges and problems multiply. Organizations often wind up with a mélange of legacy, homegrown, and modern APIs that rely on different authentication protocols. Not surprisingly, the security standards they use vary greatly.

It's also important to recognize that APIs are fundamentally different from software applications. In addition to using different protocols, they’re widely distributed across computing environments and ecosystems. Unlike many other tools, they aren’t a centrally managed set-and-forget proposition. In fact, API applets and code can be extraordinarily difficult to track and control. 

Managing dozens or even hundreds of APIs has become a daunting challenge. As a result, organizations often find it necessary to juggle multiple tools and techniques in pursuit of strong and effective API authentication. What’s more, as businesses expand APIs into multi-cloud frameworks, the task of managing and mapping everything can spiral out of control. The process can become time-consuming and error-prone while delivering subpar protection.

Orchestration can address this problem by mapping identities across APIs, and working as a de facto translator between different standards and protocols. For instance, if a system detects a modern REST API, it might use the OpenID Connect standard (OIDC). If it encounters a legacy API that relies on Simple Object Access Protocol (SOAP) messaging, the system can determine the level of functionality possible and apply matching authentication controls, such as OAuth 2.0.

The benefits of this approach extend to organizations using modern APIs. Vendors rely on different protocols and mechanisms when they build APIs. Some may generate a token while others may incorporate OIDC. The common denominator: all these APIs must stay visible and manageable. The task can become even more difficult when organizations use different vendors or tools for identity management, such as Active Directory, Okta, and Google.

Yet, with identity orchestration in place, it’s possible to establish fine-grained access controls. A systems administrator can view groups and specific users, manage layers of access, and make adjustments or wholesale changes on the fly. There’s no rewriting code and no endless tinkering with access controls and other settings.

In this more evolved area, it's also possible to use push notifications on smartphones to authenticate crucial API calls and set up and shut down machine accounts in a quick and seamless way. Along the way, it’s also possible to harden weak API access controls through multi-factor authentication (MFA) or more advanced passwordless approaches. In the end, concerns about an employee or someone outside the organization viewing or accessing sensitive or private information evaporate.

Put identity to work
Combining API protections with overall identity access management has become a crucial step forward. Using higher-level orchestration makes it possible to gain the level of insight and control required in today's multi-cloud and borderless computing world. The fact that legacy APIs exist and persist fades into the background. Suddenly, it’s possible to map an API environment and push out appropriate identity authorizations, regardless of the number of applications or identity stores.

It's a recipe for success. In the end, an organization establishes a more flexible, scalable, and manageable way to manage and secure API identity information and authentication requirements. Managing multiple authentication methods disappears. Now, it’s suddenly possible to mix and match identity tools from different vendors. The orchestration layer serves as the traffic cop. It ensures that authentication controls are in place and that they can happen in whatever way works best.

Topher Marie, chief technology officer, Strata Identity 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.