At the recent Platform Summit in Stockholm hosted by the Nordic APIs community and supported by Curity, several speakers talked about the rapid growth of APIs and the impact they have on businesses that embrace them to build their digital services. A quote presented from *Forbes noted that firms using APIs saw 12.7% more growth in market capitalization compared to those that did not adopt them.
This rapid growth brings a lot of opportunities but also risks. Managing and providing appropriate access, and more importantly, securing those APIs, can be an ongoing headache for developers and for the security teams in the business. Traditional approaches to securing login and access to customer-facing applications (customer identity and access management (CIAM)), are potentially not fit for purpose for the fast, distributed way APIs are delivered. Two teams that are often in very different areas of the business need to be in sync on identity security. There is rarely a cross-over or anyone with a foot in each camp.
Identity Management and API Security: Time to Get the Teams Together
Combining the two elements of identity management and API access control creates a valuable new compound: a way to centralize identity management to provide consistent authentication and to leverage the OAuth and OpenID Connect standards to control API access. This raises the question of where responsibility for this solution lies. Sometimes, it seems unclear.
Curity attends a number of events for both identity management professionals and for API developers. Often, we find there is not a lot of overlap between the two central security challenges of identity and API security. Essentially, the identity and access management (IAM) teams care about managing identities securely and consistently, de-risking their exposure to identity-related breaches, and meeting regulatory requirements in different regions. API developers focus on the service their project provides, driving adoption and providing great customer experience — key to which is often the way the user accesses the service. This can cause team silos to build, perhaps because traditionally IAM stakeholders in an organization have been focused on internal, employee identity management and not looking at customer identities. Stakeholders on API projects are business innovators, driving customer-facing digital initiatives and looking to give the business a competitive edge.
The landscape for digital identity is changing, and the pervasive use of APIs in so many business-critical digital services means that there needs to be a change in how the two teams work together. The stakes are high. We are already seeing an alarming rise in supply-chain breaches where unauthorized access is gained to third-party systems through APIs without strong access controls. The coming paradigm shift towards a decentralized identity architecture, and the importance of verifiable credentials in delivering control of personal information and identity more directly to users, is going to need a similar shift in IAM and software development team collaboration.
Chemistry shows us the way. Take two elements and combine them to make useful compounds. Time for organizations to grasp the opportunity and modernize their approach to IAM and API security to gain a competitive advantage. Alchemy!
*"Over a four-year period, firms using APIs saw 12.7% more growth in market capitalization compared to those that did not adopt APIs." (+38% growth over a 16-year period) Marshall Van Alstyne, Forbes (2021)