APIs are revolutionizing IT across industries by enabling enterprises to expose their backend applications, databases and other information assets for reuse in new Web, mobile and cloud apps. In this way, APIs help enterprises to quickly, easily and economically create powerful applications that open new revenue streams and add value to existing offerings.
The popularity of APIs stems partly from the way they use Web technologies that enterprise developers and architects are already familiar with. But in some ways, these new interfaces are fundamentally different from the browser-based Web. Specifically, while APIs are vulnerable to many of the same threats that plague websites, they demand a new approach to online security.
APIs expose sensitive on-premises systems and data for use beyond the firewall, creating a range of new attack vectors for hackers to exploit. Because APIs use new styles and protocols (e.g. REST, JSON), new security threats have emerged, which exploit traditional Web security’s inability to account for these technologies. So, APIs require a strong, API-specific security infrastructure.
While conventional Web security proved unable to address the security requirements for APIs, many organizations had already deployed middleware gateways to secure IT assets exposed to partners and customers via service oriented architecture (SOA). Architecturally, these SOA gateways were ideally placed to centrally secure the flow of data to and from Web APIs.
Consequently, leading SOA gateway vendors have added API-specific security features to their products. These features enable the gateways to inspect all data flowing between backend systems and the client applications that leverage these systems, in order to prevent unauthorized access to client apps, malicious misuse of APIs and targeted attacks on backend systems.
CA API Gateway delivers a broad range of API-centric, enterprise-grade security and threat protection. The OAuth Toolkit, a pre-integrated component of the gateway, simplifies the process of applying strong authentication and authorization controls to API-based resources. CA Mobile API Gateway adds security measures specifically for mobile use cases.
These products represent the latest iteration of the Layer 7 SecureSpan SOA Gateway technology, which consistently achieved high levels of security certification, including FIPS 140-2. In July 2014, this Gateway technology had its Common Criteria certification renewed, making it the only technology of its kind to achieve this level of “military-grade” security certification.
CA API Gateway continues to deliver industry-standard threat protection measures, including:
Additional measures include support for:
HMAC, RSA, SHA and fast elliptic curve cryptography
Adopt a secure API architecture to counter API-specific threats.
Create a framework to address the complex challenges associated with implementing OAuth.
Read a detailed evaluation of top API management vendors.