Are Security and Disruption Natural Enemies?
Disruption and innovation are typically built on the back of a digital transformation strategy. Disrupting a market is all about finding new ways of servicing customers through innovative channels or approaches. This almost always involves some form of digital transformation, even if it’s only modernizing existing systems to provide a better/different customer experience. For most companies today, APIs have become the foundation of disruption, innovation, and digital transformation.
Fair enough, but why does that make security and disruption natural enemies? Consider for a minute what an API is. It’s a mechanism for programmatically exposing access to data or transactional capabilities. When APIs are used in a truly transformational role, this access will almost always be provided directly to partners and customers, and so will be exposed outside the enterprise. This means that, all of a sudden, companies have created mechanisms that allow external entities easy access to their most valuable assets. You can bet their security folks don’t like this. In fact, the risks inherent in external APIs have come home to roost a few times already. You may recall the T-Mobile Data Breach last summer, wherein data on two million users’ accounts leaked out via their API.
What all this means is that security people will resist disruptive, innovative transformation initiatives, and innovative organizations might (unwisely) try and make end runs around their security teams. The right solution of course is for the business to understand the importance of security and risk management, and for the security teams to understand that they must be agile and cannot block progress. Sounds difficult, right? Fortunately, we’ve published a handy white paper that talks about the various challenges and the best way to address them.
The paper helps you understand the necessary components of a well-constructed API security strategy. It takes you through API strategy assessment discussing the various attack vectors that could potentially make your API vulnerable. It then looks at risk mitigation solution architecture strategies that API providers and microservices mesh builders can put in place to prevent unauthorized data access, loss of data integrity, or the degradation of the quality of service.