The world is still navigating towards fully digitized business models, however, as technology develops, we see key trends emerging. One dominant trend is the shift in software and development methodologies to the use of Application Programming Interfaces or APIs. These APIs are now pivotal to the digital experience. APIs are the web’s infrastructure economy; the hidden third party, helping businesses to meet customers’ needs and seamlessly deliver services. You do not need to be a software developer to understand how APIs will continue to shape the future of digital transformation and business revenue for years to come.
Recommended: ITechnology Interview with Dhruv Asher, SVP of Business Development and Product Alliances at UiPath
SaaS opened the eyes to many businesses by demonstrating that IT systems didn’t need to be proprietary. Now, APIs have demonstrated how open data and services with third parties can revolutionize business practice.
Future-facing organizations can benefit enormously from APIs. Software developers can use them to innovate at speed in a user-centric way whilst also presenting access to valuable user data – continuing to support business development goals. While APIs present ample opportunity for growth, managing user data creates an increased responsibility to ensure the safety of API-enabled transactions, and that data breaches aren’t made easier by the presence of APIs in an app’s software architecture. We can only do that with banking-grade security infrastructure that significantly reduces the attack surface available to cybercriminals.
Implementing Banking-Grade Standards
Regulations that have been put in place in Europe, such as PSD2, are there to improve and secure electronic payment services, creating an innovative and secure market. Thanks to PSD2, banks and payment institutions now are forced to open up for third parties resulting in the Open Banking landscape we’re now seeing, supported by APIs. Open Banking also allows organizations to modernize their offerings for users while creating a competitive advantage. It’s clear that security is central for Open Banking. Financial-grade security means meeting high-security standards that require the implementation of specific technology.
User authentication is key to the level of security necessary for Open Banking.
Applications are required to provide strong confidence in customers’ identities and intentions. Strong Customer Authentication and Customer Consent are key elements of implementing this.
ITechnology Insights: ITechnology Interview with Sagie Davidovich, CEO at SparkBeyond
The exact meaning of what falls under Strong Customer Authentication is domain-specific and commonly translates to an accredited multi-factor authentication method. Even Customer Consents are context-specific. In some use-cases it is sufficient to have the customer simply confirm a certain action, like a double-check, providing a “generic consent”, whereas in other cases stronger confidence in the customer’s intention is required. In such cases, the customer is required to provide a signature – in technical terms – when confirming an action. These levels of authentication and confirmation are crucial to complying with banking-grade standards that are necessary to protect APIs.
The good news is that existing standards such as OAuth and OpenID Connect now combine with the Financial-grade API (FAPI) security and privacy protocols to support Open Banking use cases. Their “scopes” and “claims” token system allows IT systems to precisely control the degree and nature of access to personal information, solving the challenges mentioned earlier on top of another common API flaw: excessive data exposure.
(In organizations with complex hierarchies, the improper assignment of permissions among different user groups can be avoided with scopes and claims baked into the system.) OAuth and OpenID Connect’s usefulness in addressing data security issues can be boiled down to three techniques: the acquisition of explicit consent, Pairwise Pseudonymous Identifier (an unguessable user ID with no overt association with the details of the actual user) and Phantom Tokens, where an API gateway mediates the issuance of an opaque token — that is, an access token related but untraceable to a source which holds the user’s personal data.
Take the Necessary Precautions
Where the API economy is concerned, following the right strategies will help companies get the most out of their rewards while minimizing the risks. Installing an API gateway will centralize traffic features, enabling better control of requests that affect both security and business concerns. A dedicated OAuth server to issue tokens is more secure than tokens issued at multiple points across the system. Combining opaque tokens with JSON Web Tokens will optimize safety and convenience if your system is communicating with both internal and third-party clients. Scopes and claims can allow for coarse-grained and fine-grained access control, respectively; the former defines application-level access, while the latter enables fine-grained user authorization.
Using HTTPS for all API traffic — even internally — is an absolute must-have today.
JWT validation, standardized across the system instead of differentiated across various endpoints, is also recommended, as is JSON Web Key Sets (JWKS) for key distribution.
Ensuring you have the right security architecture for your business is critical. It is not as simple as employing a blanket security measure and qualifying all data thereon as secure. Businesses must understand how different security solutions are suited to different industrial processes. It can be easy to neglect common sense in these instances with varying levels of security flaws. For example, using different authentication methods for the same resources (such as basic or multifactor authentication). Signs of potential API abuse can also be overlooked – like requests with unexpected headers or changes to login information required – in particular, if the system fails to log any overtly suspicious activity. Internal audits carried out on APIs can also be used to further unearth security weaknesses. This process may, for example, show how an API that was built with the intention of operating internally, became public months or years later without the necessary checks instated. This may feel like a laborious task in its nature, however, the amount that APIs contribute to the speed and scaling of business growth makes security checks all the more worthwhile.
Safeguarding customers’ personal information is pivotal to business success; you can never be too careful.
[To share your insights with us, please write to sghosh@martechseries.com]
