Governance and cybersecurity of the respective APIs

[CONTENU PARTENAIRE] More than just an IT problem, corporate APIs are the entry point into the platform economy. Success in this entry is critical for the future and imposes certain preconditions. Axway and French CIOs analyze the limitations and conditions for a successful API strategy.

As a leader in creating interbank cross-ecosystems, publisher Axway is now positioned in API governance systems. During the morning session hosted by Frédéric Simottel, 01 Business Editor-in-Chief, Emmanuel Metefer, catalyst At Axway, he highlighted the recent emergence of business issues in the world of APIs: ” Until recently, the API was a very technical topic, the problem of integration and operational improvement of the information system. Since then, regulations have forced companies to open up their information systems, to create ecosystems. Today, API has established itself as a new distribution channel. This new work highlights new limitations in terms of security, governance, and coordination. This is the price to pay to gain a foothold in the platform’s economy and provide its services in what are now called “digital services markets”.

The main witness at the Axway round table, Alexander Streicher, Delegate of the Director at AIFE (Agency for State Financial Computing), one of the departments of the Ministry of Economy, Finance, Industry and Digital Sovereignty, is responsible for electronic billing solutions, dematerialization of the public system, as well as API exchange management systems. ” AIFE maintains long-term cooperation with Axway in many technology bricks. As of 2016, we have built an electronic billing system for all public entity suppliers. This system offers various exchange formats, including APIs. We quickly realized that we needed to manufacture our API management, implement a custom platform called PISTE, [acronyme de Plateforme d’Intermédiation des Services pour la Transformation de l’Etat]. It is designed to accommodate the volume of electronic billing flows, with 70 million invoices processed in 2021, but also to meet other needs arising from solutions implemented by AIFE, or by other public entities. »

Cyber ​​security, the prerequisite for API strategy

Recent attacks on Facebook or Equifax have shown that API security is a very real problem. The German employment agency now faces 5 million attacks daily on its APIs! The severity of the threat should prompt companies to organize themselves accordingly. Eric Horisney, EMEA Sales Director for Amplify API Management at Axway, highlighted some of the best practices to follow: Among the best practices in place for dealing with Internet risks, we can mention the implementation of API Gateway for access filtering. The rule is to move towards a “zero trust” approach: apply the same rules to internal APIs as those exposed to the outside. The third measure that will be implemented is the implementation of “security by design”, that is, integrating security from writing an API specification. »

For CIOs present at the Roundtable, in addition to this technical issue, the human side of cybersecurity should not be neglected: “ Developers, but also Citizen Developers, business users who use Low-Code/No-code solutions should be well aware of the security issues related to APIs Companies should make training and information efforts about the dangers associated with API attacks. The use of PenTesting campaigns by ethical hackers is a recommended practice in the most critical streams.

From a technical point of view, in addition to portals, CIOs prefer to create sandboxes (sandbox) to test APIs, as well as deploy additional tools such as WAFs to properly segment an information system and split data flows between North, South, East and West. Allocation of access is a governance issue that must be managed by a panel of experts who will manage the access granted to APIs vis-à-vis the outside world.

Governance, the necessary framework for the success of an API strategy

This management issue appears very quickly in all API deployment projects. Emmanuel Mithever catalyst At Axway, he distinguishes 3 dimensions in the API governance role: “ APIs proliferate exponentially in organizations. To avoid the risk of having to manage “IT SICOB”, they should carefully index their API. It is essential to have a control tower to manage all these aspects, with a unified catalog to maintain control of the information system. Governance is also regulated. »

Many CIOs are still in the process of defining an API and have not yet implemented a governance structure. This is a work that can extend for several years. One created a panel of architects to index its APIs, and the other takes into account the character’s dominant role: ” For us, governance is driven by business! Governance must support careers and business growth. Calling APIs is a convenience. We don’t have to reinvent the wheel: we have to rely on standards and systems that ensure APIs are controlled and monitored. Relying on dedicated platforms makes it possible to focus on the “core business” and to grow faster. CIOs stressed the importance of having a central point, the service registry where all data related to the API should be central.

Recipes for the adoption of driving API

An API should be considered a product as such. The company must adopt a strategy to make it successful with future developers and users. For Eric Horisney, adoption should be the number one goal, because the API is now part of the company’s business: “ APIs not only allow us to deliver new customer experiences, but they also represent new potential revenue streams for businesses. For CIOs, the success of an API project depends on a triplet: a technology with a quality API, a reporting component to ensure that the API is used correctly, and finally internal communication over time to enable continual improvement of processes and API.

CIOs noted that although the API economy is a new phenomenon, every company already has a wide range of APIs: You need to be able to communicate about your APIs and convince the potential user to choose your APIs. Among the selection criteria is its quality, as well as its durability. An API that is no longer maintained by its publisher imposes a cost on the user who will have to choose another solution. API maintenance costs are often overlooked when starting a project, which poses the risk of budget cuts beyond the initial budget. »

CIOs concluded the session by emphasizing the following: APIs are an asset to a company, a way to develop through new services: today’s top management must fully participate in this approach, considering APIs as a lever for their commercial policy and in the conquest of new markets. »

This content was produced with AXWAY. The BFMBUSINESS editorial staff was not involved in the production of this content.

In partnership with AXWAY

Leave a Comment