APIs are more important than ever in these challenging times where everything is being operated remotely. APIs make it easy to provide access to information and keep businesses running smoothly. They can also create new challenges and risks if they are not properly managed.
First, security is paramount to ensure only those that are allowed to access specific information are truly able to access it and to ensure malicious users cannot do harm to your API environment. To prevent malicious users, it’s critical to ensure proper threat detection is in place, to prevent these users from exploiting vulnerabilities such as code injection, denial-of-service, and many other types of attacks that insecure APIs may expose. Having a hardened access point into the API layer is key. Catching these types of attacks up front is key to prevent them from wreaking havoc on your overall API infrastructure. This approach can also be used so that organization can present a uniform and consistent approach that takes the burden off of individual APIs teams. It allows them to focus on the business needs of the API without having to become security experts.
It’s also critical to ensure proper authentication and authorization is configured and enforced ensuring that the API requester is not only who they say they are (authentication), but that they also have permissions to access the resources they are attempting to connect with (authorization). Having a solution in place that is able to provide fine-grained access control is key to ensure that applications are restricted to pre-defined whitelisted set of APIs (or subset of resources within an API) to ensure the application cannot gain access to unintended data. Using strong authorization mechanisms such as OAuth and OpenID also help protect individual users by ensuring users can control and explicitly grant access only to the specific data that an application requires.
The ability to quickly scale is more important than ever. In a very short time, we’ve seen a number of organizations now experiencing “Black Friday”-like traffic on a consistent basis as more and more business is performed via APIs. Historically, these types of increases were predictable, and organizations were able to plan ahead to scale up for pre-defined periods of time. The current levels of API usage have been unprecedented for many organizations and those that have been able to scale up new infrastructure very quickly have been able to continue meet the business demands without disruption. Having a proven and dynamically scalable API infrastructure is key to prevent disruption and quickly adapt to ever-changing levels of API demand.
The ability to analyze and monitor API traffic helps to ensure your business is operating as expected and can offer visibility into trends that provide the feedback necessary to see how the APIs are being used. There are two key approaches to monitoring, and both are equally important to avoid surprises in the health and use of your APIs. The first and more traditional approach is based on having internal monitoring. Internal monitoring typically involves capturing key metrics such as memory, disk space, CPU, and service metrics from within the API layer. These metrics can be gathered, and monitoring solutions can provide analysis of the data to detect and alert on issues or patterns. Pattern analysis can help identify unhealthy or problematic APIs. These internal monitoring solutions can also aid in identifying the source of a problem when APIs are distributed across multiple components within your infrastructure. This can greatly speed up the resolution. The other approach to monitoring is to provide external solutions to use an “outside-in” approach. This approach allows you to gain insight in what applications are experiencing as they make calls to your APIs. These types of solutions essentially act as an application calling the APIs and can record information such as latency, error codes, and expected payloads. This information can they be analyzed to provide reports and alerts on conditions that may indicate a problem with the API. These solutions typically provide monitoring from a number of geographic locations and can offer insights into potential issues that internal monitoring alone cannot provide.
If you’d like to learn more about the topics I introduced above, please see the following posts from some of my colleagues here: