Governance and cybersecurity of the affected APIs

[CONTENU PARTENAIRE] Far more than a pure IT problem, APIs for businesses are the gateway to the platform economy. Succeeding in this entry is crucial for the future and imposes certain conditions. Axway and French CIOs analyze the constraints and conditions for the success of a successful API strategy.

A pioneer in creating ecosystems through interbank activities, publisher Axway is now positioned on API governance systems. During the morning session organized by Frédéric Simottel, editor-in-chief of 01 Business, Emmanuel Méthivier, Catalyst at Axway, highlighted the recent emergence of business problems in the world of APIs: ” Until recently, the API was a highly technical topic, a problem of integration and operational optimization of the information system. Since then, regulations have forced companies to open up their information systems to create ecosystems. Today, the API has established itself as a new distribution channel. This new business brings new constraints in terms of security, governance and coordination. This is the price to pay to gain a foothold in the platform economy and offer its services on what are now called “Digital Service Marketplaces”.

Key witness of the Axway roundtable, Alexandre Streicher, Deputy Director of the AIFE (Agency for State Financial Computing), a division of the Ministry of Economy, Finance and Industrial and Digital Sovereignty, is responsible for electronic invoicing solutions, dematerialization public order, as well as exchange and API management systems. † The AIFE maintains a long-term partnership with Axway on various technology bricks. From 2016, we built an electronic invoicing system for all suppliers of public entities. This system offers various exchange formats, including APIs. We understood very quickly that we needed to industrialize our API management, implement a special platform called PISTE, [acronyme de Plateforme d’Intermédiation des Services pour la Transformation de l’Etat]† It was designed to accommodate the volume of electronic invoice flows, with 70 million invoices processed in 2021, but also to meet the other needs caused by the solutions implemented by the AIFE or by other entities.

Cybersecurity, the fundamental prerequisite for an API strategy

The recent attacks on Facebook or Equifax have shown that API security is a very real problem. The German employment agency is now facing 5 million attacks per day on its APIs! The intensity of the threat should prompt companies to organize accordingly. Eric Horesnyi, EMEA Sales Manager for API Management named Amplify at Axway, highlighted some best practices to follow: One of the best practices in place to address cyber risks can be called the implementation of API Gateway to filter access. The rule is to move to the “Zero Trust” approach: apply the same rules to internal APIs as to APIs exposed to the outside. A third measure to be applied is to implement “Security by Design”, ie integrating security from the writing of the API specifications.

For the CIOs present at the round table, the human aspect of cybersecurity should not be neglected in addition to this technical issue: “ Developers, but also Citizen Developers, these business users who use Low-Code/No-code solutions should be well aware of the security issues related to APIs Companies should provide training and education about the dangers of API attacks. The use of PenTesting campaigns by ethical hackers is a recommended practice for the most critical flows.

Technically, in addition to gateways, CIOs are in favor of setting up sandboxes (sandboxing) to test the APIs, as well as deploy additional tools such as WAFs to properly segment the information system and partition these North/South and East-West data streams. Access allocation is a governance issue that must be managed by a committee of experts who will manage access to the APIs outwardly.

Governance, the necessary framework for the success of an API strategy

This governance issue arises very quickly in all API implementation projects. Emmanuel Methivier, Catalyst distinguishes 3 dimensions in the role of API governance at Axway: ” APIs are growing exponentially in enterprises. To avoid the risk of having to manage an “IT SICOB”, they must carefully catalog their API. It is essential to have a control tower to manage all these aspects, with a unified catalog to maintain control over the information system. Governance is also an organization.

Several CIOs are still in the API identification phase and have not yet implemented a governance structure. This is work that can take several years. One has set up a committee of architects to catalog its APIs, the other considers the predominant role of commerce: “ What drives governance for us is business! The board must support the professions and the growth of the company. Calling APIs is a convenience. We don’t have to reinvent the wheel: we have to rely on standards and systems that control and monitor APIs. By relying on platforms dedicated to this, it is possible to focus on the “core business” and grow faster. CIOs emphasized the importance of a central point, a service registry where all API-related data should be centralized.

Recipes for Boosting API Adoption

As such, an API should be considered a product. The company must adopt a strategy to make it a success with developers and future users. For Eric Horesnyi, adoption should be goal #1, because an API is now part of the company’s business: ” APIs not only enable the delivery of new customer experiences, but they also represent potential new revenue streams for businesses. » For CIOs, the success of an API project depends on a triptych: the technique with a good quality API, a reporting component to ensure that the API is used correctly and finally internal communication in time to be able to continuously manage the processes improve the API.

CIOs have pointed out that while the API economy is a new phenomenon, every company already has a huge choice of APIs: You must be able to communicate about your APIs and convince the potential user to choose your APIs. One of the selection criteria is quality, but also durability. An API that is no longer maintained by its publisher incurs a cost for the user who will have to choose another solution. API maintenance costs are often overlooked when starting a project, which carries the risk of cuts beyond the original budget.

CIOs closed the session by emphasizing: “ APIs are an asset for a company, a way to develop through new services: today’s top management should be fully involved in this approach, seeing APIs as a lever for their commercial policies and in conquering new markets.

This content was produced with AXWAY. The editors of BFMBUSINESS did not participate in the production of this content.

In collaboration with AXWAY

Leave a Comment