Analyzing
the
concept
of
API
management
(APIM),
its
benefits,
and
what
it
will
look
like
as
the
API
landscape
continues
to
evolve.
There
are
two
fundamental
truths
in
the
API
landscape.
-
First:
APIs
have
become
a
strategic
tool
for
companies
to
expand
their
digital
reach,
accelerate
their
businesses,
and
do
more
for
their
customers. -
Second:
because
of
the
way
they
work
and
how
they’ve
been
used
so
far,
APIs
are
particularly
vulnerable
to
attacks
from
bad
actors.
In
fact,
according
to
recent
research,
malicious
API
attack
traffic
surged
117%
over
the
past
year,
indicating
that
the
threat
on
APIs
is
far
from
abating.
So,
where
does
this
leave
businesses
that
want
to
leverage
the
power
of
APIs?
For
starters,
they
need
to
invest
in
an
API
security
strategy
that
covers
all
their
bases.
A
robust
strategy
will
be
held
up
by
a
number
of
different
tools
and
methodologies,
including
API
management
(APIM).
In
this
article,
we’re
taking
a
closer
look
at
what
APIM
is,
its
benefits,
and
what
it
will
look
like
as
the
API
landscape
continues
to
evolve.
What
Is
APIM?
APIM
is
the
process
of
creating,
distributing,
monitoring,
and
analysing
APIs
that
connect
applications
and
data
across
the
enterprise
and
clouds.
Typically
deployed
as
a
scalable
platform,
APIM
allows
enterprises
to
share
their
API
configurations
while
controlling
access,
monitoring
and
collecting
usage
data,
and
enforcing
security
policies
related
to
APIs.
In
other
words,
APIM
gives
businesses
the
power
to
better
leverage
the
API
economy
without
compromising
on
security.
There
are
also
internal
benefits:
managing
all
APIs
on
one
unified
platform
lets
enterprises
share
API
documentation
and
coding
constructs
between
teams,
ultimately
making
things
easier
(and
faster)
for
developers.
What
Are
the
Components
of
APIM?
To
facilitate
flexibility,
quality,
speed,
and
security
for
enterprise
APIs,
APIM
platforms
are
usually
comprised
of
five
key
elements,
outlined
below.
API
gateway:
The
API
gateway
acts
as
the
portal
through
which
all
routing
requests
and
protocol
translations
are
handled.
As
APIs
often
have
different
structures
and
languages
and
are
constantly
changing,
an
API
gateway
facilitates
communication,
providing
a
single
point
of
contact
for
internal
and
external
parties
to
interact
with
APIs.
API
developer
portal:
The
developer
portal
provides
a
self-service
hub
for
developers
that
want
to
access
and
share
API
documentation.
This
contributes
significantly
to
speeding
up
how
developers
work
with
APIs,
streamlining
the
building
and
testing
processes,
and
providing
consistency
across
the
team.
API
analytics:
There’s
a
lot
of
value
in
understanding
and
evaluating
a
given
API’s
usage
and
operational
metrics
—
and
that’s
where
an
API
reporting
and
analytics
function
comes
in.
APIM
platforms
are
often
equipped
with
dashboards
that
provide
this
visibility
and
allow
enterprise
teams
to
make
better
decisions
about
how
they
use
their
APIs,
such
as
whether
it’s
worth
monetizing
them.
From
an
operational
perspective,
these
dashboards
help
identify
issues
early
so
they
can
be
addressed
proactively.
API
lifecycle
management:
With
APIs,
one
of
the
biggest
challenges
is
that
there
isn’t
visibility
into
the
whole
lifecycle
— from
design
to
implementation
and
retirement.
The
reason
is
that
APIs
are
often
created
for
small
internal
uses
and
then
launched
into
bigger
use
cases
without
the
proper
vetting.
Lifecycle
management
mitigates
this,
providing
a
sustainable
solution
for
building,
testing,
and
managing
APIs
with
version
control
support.
API
policy
manager:
Each
API
should
operate
within
a
set
of
API
policies
that
shape
its
evolution.
API
policy
managers
control
the
lifecycle
of
these
policies
and
house
broader
policies
that
impact
the
entire
API
infrastructure.
In
an
APIM
platform,
each
of
these
tools
comes
together
to
give
companies
a
more
complete
and
comprehensive
view
into
their
APIs
and
the
control
to
enhance
security
across
the
API
ecosystem.
What
APIM
is
Not
From
a
security
perspective,
while
APIM
platforms
are
key
for
creating
unified
visibility
and
control
over
a
company’s
API
infrastructure
—
and
for
facilitating
the
implementation
of
API
security
features
—
it’s
important
to
note
that
it’s
only
one
pillar
in
a
robust
API
security
strategy.
API
management
platforms
are
not,
fundamentally,
security
platforms.
They
lack
key
API
security
elements
organizations
should
enforce,
including
continuous
authentication
and
authorization,
access
control,
data
validation,
runtime
security
tailored
to
the
OWASP
API
Top
10
attacks,
and
a
testing
plan
for
APIs
both
in
production
and
pre-prod.
It’s
also
important
to
note
that
APIM
isn’t
a
one-size-fits-all
solution.
It’s
essential
to
evaluate
the
company’s
IT
infrastructure
and
other
resources
to
ensure
that
they
are
equipped
to
adopt
and
implement
a
new
platform
for
its
APIs.
Do
you
have
the
right
level
of
expertise
on
your
team?
Are
you
working
with
enough
APIs
to
justify
the
adoption
of
an
APIM
platform?
Do
you
have
API
security
policies
in
place
to
enable
your
APIM
tool
to
do
its
best
work?
These
are
all
critical
questions
to
ask
as
you
evaluate
this
solution.
What
Are
the
Benefits
of
APIM?
For
many
enterprises,
APIs
are
the
Wild
West
of
their
technical
infrastructure.
APIs
often
differ
significantly
from
one
another,
making
it
challenging
to
create
overarching
measures
to
manage
them.
The
landscape
is
constantly
changing,
so
documentation
quickly
becomes
outdated
and
irrelevant.
This
is
part
of
what
makes
APIs
such
an
appealing
threat
vector
for
cybercriminals.
APIM
remedies
this
while
providing
other
benefits.
APIM
supports
businesses
by:
-
Centralising
visibility
to
all
API
connections,
lowering
the
risk
of
attacks,
and
giving
teams
the
ability
to
identify
gaps
and
duplicates -
Facilitating
data-driven
decisions
for
the
business,
such
as
monetizing
the
API -
Protecting
the
business
from
API-related
threats -
Enabling
the
creation
of
detailed
API
documentation -
Creating
better
user
experiences
for
API
consumers -
Improving
developer
experiences -
Providing
better
insights
into
the
current
state
of
API
security,
allowing
teams
to
create
a
better
ecosystem
What
Does
the
Future
of
APIM
Look
Like?
APIs
aren’t
going
anywhere.
Businesses
are
continuing
to
build
applications
that
rely
on
hundreds,
if
not
thousands,
of
APIs.
With
APIs
exposed
to
multiple
data
centres,
cloud
providers,
and
customers,
with
different
levels
of
access
requirements
and
customization,
the
scale
and
complexity
of
the
ecosystem
are
only
going
to
get
bigger.
For
enterprises
that
want
to
stay
agile,
organised,
and
secure,
APIM
will
be
crucial.
APIM
will
continue
to
be
an
important
driver
for
functions
such
as
versioning,
deployment
processes,
usage
metrics,
and
interoperability.
And
from
a
security
perspective,
they
will
develop
as
API
gateways
become
more
mature,
doing
more
in
the
rate
limiting,
data
masking,
and
authentication
spaces.
Other
changes
will
come
within
the
interfaces
themselves.
There’s
a
growing
shift
in
the
developer
tooling
space
with
the
emergence
of
tools
that
favour
visual
drag-and-drop
functionalities
instead
of
coding.
This
way,
different
teams
can
contribute
to
APIM
within
the
bounds
of
their
skill
sets
and
still
have
a
clear
understanding
of
the
workflows,
API
lifecycles,
and
API
security
policies.
As
APIM
platforms
continue
to
mature,
they
will
become
an
even
more
strategic
asset
for
businesses
that
want
to
make
the
most
of
the
API
landscape
without
compromising
their
security.
About
the
Author:
Ali
Cameron
is
a
content
marketer
that
specializes
in
the
cybersecurity
and
B2B
SaaS
space.
Besides
writing
for
Tripwire’s
State
of
Security
blog,
she’s
also
written
for
brands
including
Okta,
Salesforce,
and
Microsoft.
Taking
an
unusual
route
into
the
world
of
content,
Ali
started
her
career
as
a
management
consultant at
PwC
where
she
sparked
her
interest
in
making
complex
concepts
easy
to
understand.
She
blends
this
interest
with
a
passion
for
storytelling,
a
combination
that’s
well
suited
for
writing
in
the
cybersecurity
space.
She
is
also
a
regular
writer
for
Bora.
Follow
me
on
Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(SecurityAffairs –
hacking,
Moshen
Dragon)