Governance and cybersecurity of the APIs concerned

[CONTENU PARTENAIRE] Much more than a pure IT problem, APIs for companies represent the starting point for the platform economy. Succeeding at this post is crucial for the future and sets certain preconditions. Axway and French CIOs analyze the limitations and conditions of success with a successful API strategy.

A pioneer in the creation of ecosystems through interbanking, publisher Axway is now positioned on API management systems. During the morning session, hosted by Frédéric Simottel, Editor-in-Chief of 01 Business, Emmanuel Méthivier, Catalyst at Axway highlighted the recent emergence of business issues in the world of APIs: ” Until recently, the API was a very technical topic, a problem of integration and operational optimization of the information system. Since then, regulations have forced companies to open up their information systems to create ecosystems. Today, the API has established itself as a new distribution channel. This new business brings new constraints in terms of security, management and coordination. This is the price one has to pay to gain a foothold in the platform economy and offer its services on what are now called “Digital Service Marketplaces”.

Axway’s lead witness, Alexandre Streicher, delegated to the Director of AIFE (Agency for State Financial Computing), a division of the Ministry of Economy, Finance and Industrial and Digital Sovereignty, is responsible for electronic billing solutions, dematerialisation of public order, and exchange and API management systems. ” AIFE maintains a long-standing partnership with Axway on various technological bricks. From 2016, we have built an electronic invoicing system for all suppliers to public entities. This system offers various exchange formats, including APIs. We quickly realized that we needed to industrialize our API management, implement a dedicated platform called PISTE, [acronyme de Plateforme d’Intermédiation des Services pour la Transformation de l’Etat]. It was designed to absorb the amount of electronic invoice flows, with 70 million invoices processed in 2021, but also to meet the other needs induced by the solutions implemented by AIFE or by other entities. »

Cyber ​​security, the basic premise of an API strategy

Recent attacks on Facebook or Equifax have shown that API security is a very real issue. The German employment agency is now facing 5 million attacks a day on its APIs! The intensity of the threat should pressure companies to organize accordingly. Eric Horesnyi, EMEA Sales Manager for API Management named Amplify at Axway highlighted some best practices to follow: Among the current best practices for managing cyber risk, we can mention the implementation of API Gateway to filter access. The rule is to move in the direction of the “Zero Trust” approach: Apply the same rules to internal APIs as to those exposed from the outside. A third measure to be applied is to implement “Security by Design”, ie. to integrate security from the writing of the API specifications. »

For the CIOs present at the Round Table, the human aspect of cybersecurity beyond this technical issue should not be neglected: ” Developers, but also Citizen Developers, these business users who use Low-Code / No-code solutions need to pay close attention to the security issues associated with APIs Companies need to make training and information efforts about the dangers of API attacks. The use of PenTesting campaigns by ethical hackers is a recommended practice on the most critical flows.

From a technical point of view, in addition to gateways, CIOs are in favor of setting up sandboxes (sandboxing) to test the APIs, as well as roll out additional tools such as WAFs to properly segment the information system and split these north / south and east-west data streams. The allocation of access poses a management problem that must be managed by a committee of experts who must manage the access given to the APIs to the outside world.

Governance, the necessary framework for the success of an API strategy

This management issue occurs very quickly in all API implementation projects. Emmanuel Methivier, Catalyst at Axway, distinguishes 3 dimensions in the role of API control: ” APIs are spreading exponentially in companies. To avoid the risk of having to manage an “IT SICOB”, they need to carefully catalog their API. It is important to have a control tower to manage all these aspects, with a single catalog to maintain control over the information system. Governance is also an organization. »

Several CIOs are still in the API identification phase and have not yet implemented a governance structure. It is a work that can extend over several years. One has set up a committee of architects to catalog its APIs, the other is considering the predominant role of the subjects: ” For us, it is business that drives management! Governance must support the industries and the company’s growth. It’s a convenience to call APIs. We do not have to reinvent the wheel: we need to rely on standards and systems that ensure control and monitoring of APIs. Relying on platforms dedicated to this makes it possible to focus on the “core business” and to go faster on growth. CIOs stressed the importance of having a central point, a service register, where all API-related data should be centralized.

Recipes for Driving API Adoption

An API should be considered as a product as such. The company must adopt a strategy to make it a success with developers and future users. For Eric Horesnyi, adoption should be the number one goal, because an API is now part of the company’s business: ” APIs not only enable the delivery of new customer experiences, but they also represent potential new revenue streams for businesses. »For CIOs, the success of an API project depends on a triptych: the technique of a good quality API, a reporting component to ensure that the API is used correctly, and finally internal communication over time to continuously improve the processes and API .

CIOs have pointed out that while the API economy is a new phenomenon, every company already has a large selection of APIs: ” You need to be able to communicate about your APIs and convince the potential user to choose your APIs. Among its selection criteria is its quality but also its durability. An API that is no longer maintained by its publisher imposes a cost on the user, who will have to choose another solution. API maintenance costs are often overlooked when a project is launched, posing a risk of budget cuts beyond the initial budget. »

CIOs ended the session by emphasizing: ” APIs are an asset to a business, a way of evolving through new services: Today’s top management must be fully involved in this approach and view APIs as a lever for their commercial policies and in the conquest of new markets. »

This content was produced with AXWAY. The BFMBUSINESS editorial staff did not participate in the production of this content.

In collaboration with AXWAY

Leave a Comment