„Management of companies' API infrastructure is growing.“
BY TEMEL KAHYAOGLU
(Published in The Produktkulturmagazin issue 1 2019)
In our increasingly digital and networked world, application programming interfaces (APIs) are the building blocks from which innovative new business models can be built. We spoke with Sebastian Rohr, CTO at Apiida AG, about the importance of APIs and the pivotal aspect of security.
Mr. Rohr, APIs have grown increasingly important in recent years. Why is this, and for what areas is this particularly true?
Lots of companies – especially major cloud providers, such as Amazon – began realigning their internal IT to digital interfaces in the form of APIs quite a few years ago. The phenomenal success of Netflix, Amazon Prime, or even Salesforce, the CRM cloud service, is built on the paradigm of using APIs. In contrast to the complicated task of integrating IT services in a one-to-one relationship, deploying information through APIs enables faster adaptation. Rather than overload a web interface with as many functions as possible, Salesforce can cover most of its CRM functions using APIs. This way, larger clients can offer key functions that are specific to them using an interface they themselves have built, or through a smartphone app presented in their own corporate design. The video on-demand provider Netflix doesn’t have to build and maintain a dedicated app for each of 20 TV providers, with four product lines apiece. Instead, it defines a carefully documented API that it then regularly updates and equips with extended functions. It’s up to the TV providers whether they offer certain functionalities on their TV, or whether they reserve these for premium models that they themselves have created. The situation is similar for the growth sector of parcel services. Without a suitable app, many of the value-added functions would be impossible to implement at all. But the rule applies here, too: if you dread the effort of maintaining multiple apps, then you should invest in a properly itemised, executed and documented API and provide secure access to your partners in the network. Established companies such as Lufthansa or lighting specialist Osram are not the only players already offering new APIs as they digitalise business processes and develop new income streams.
How do APIs need to be designed to generate the greatest possible benefit for companies?
As in many areas of the New Economy, in the beginning, the landscape of publicly available APIs was dominated by high momentum and documentation lacking depth and subtlety. Some of the early providers of such APIs have since vanished from the market again because they lacked strategy, planning and documentation of the interdependencies involved. The latest findings indicate that the factors that set successful companies apart from their less successful competitors in the field of digitalisation are strategic planning of their API landscape and excellent documentation of these same APIs. A particularly important step forward in this regard was the publication of the Open API Specification (OAS). But the clear focus today should be on the added value a company can gain through orientation around APIs. Take a look at Lufthansa: with its Open API initiative, it has opened itself up to third parties, thus tapping into new sales channels and revenue streams for itself and others. Or consider Osram, a former lighting manufacturer that now offers lighting concepts for events and locations that can be holistically planned, configured and operated using its API platform. These are completely new business models that can only be implemented reasonably and cost-effectively through APIs!
On the other hand, these APIs are also popular targets for cybercriminals – what makes them so vulnerable?
APIs that have been implemented quickly (because they were planned poorly) offer very quick and easy access to information and functions that were previously hidden behind well-secured application interfaces that required strong authentication. Security for these old applications was usually defined using a proper concept for Identity and Access Management (IAM). Unfortunately, many of the APIs published today are not yet subject to such regimentation, and companies often lack specifications for protecting and safeguarding APIs against unauthorised use. And yet, with a little planning and the right tools, API security can be quite simple. The use of API keys, certificates and definition of the appropriate access rights provide protection against the bulk of the attacks discussed in the media. Essentially, this should not have any further effect for the API planner, and certainly not for the programmer: with a solidly prepared developer portal and good API management, security safeguards are predefined from the outset and cannot be circumvented.
What are the challenges involved in managing APIs?
Management of companies’ complex API infrastructure is getting increasingly inefficient as a result of the diverse security requirements and the constantly rising number of APIs that must be managed. We’ve already seen how an Excel spreadsheet was used to reconcile security settings manually for APIs between gateways in America and those in Europe. Obviously, it is impossible to implement agile software development or an efficient DevOps scheme using this approach. The aim should be to minimise these inefficiencies and factors of uncertainty in managing large API landscapes by using meaningful automation and comprehensive monitoring of critical properties such as response times. Ultimately, though, the focus has to be on the user. No matter how interesting the service, a customer won’t accept if it has lousy usability. This is particularly true of security functions such as logging on to a system or even an app or API.
In addition to digitalisation, you are also committed to security. Recently, you offered an innovative solution for employee authentication. Tell us more about the development and the operating principle behind the product.
In the late 1990s, I was an employee at Siemens AG, where I was already confronted with the security technology of smart cards. As a security consultant in the Group, I was one of the first 100 employees to be outfitted with a multifunctional employee ID. Equipped with this tiny IT-security all-rounder, I could pay for my food in the canteen, buy snacks at the vending machine, enter the building and log on to my own computer. We professionals spent several weeks trying to get the topic of secure e-mail up and running, but then we dropped it again because of excessive complexity. As beautiful and secure as the smart card seems to be as a means of logging into the PC, its lack of user friendliness and high costs, combined with the complexity of the overall solution, did not really win the smart card many friends among corporate groups. I also forgot my ID at home on several occasions – and as a result, I couldn’t access the office or log on to my PC. Maybe it was this particularly unpleasant experience early in my career that caught up with me when we developed our Apiida Mobile Authentication (or AMA for short). To me as a security expert, it was clear that employees would love strong authentication in the corporate setting only if it worked with the highest user comfort and used components that were already part of their daily routines. So-called ‘millennials’ (i.e. the young employees just arriving in the firms) have smartphones practically surgically attached to their hands, and many colleagues in our age group and older also rarely set the tiny worry stone too far away. I’m far less likely to forget my smartphone at home than I am to leave my wallet on the dresser. We oriented our efforts around the user-friendliness of Apple and developed the most secure authentication possible based on the security chips installed in the smartphone. I am convinced that this combination of usability and security will find more adherents than the smart card ever has.
Complex system structures and an increasing number of interfaces and microservices call for central administration and continuous monitoring. How does the Apiida API Gateway help with this?
Our Apiida API Gateway Manager monitors all connected API gateways and services in real time. If pre-set limits are exceeded (the response time from a back end, for example), then the respective people in charge are immediately notified. This ensures that an error will be detected as quickly as possible and can be corrected faster, too. At the same time, the product supports the administration of different versions of the APIs. Migrating new versions – from development through testing and quality control to production – can be an elaborate and faulty process. Here, API Gateway supports IT operations and safeguards the entire process through automation; after all, human beings sometimes make careless mistakes.
What is your view of upcoming developments, and what plans does Apiida have in place to respond to them?
APIs and the digitalisation of enterprises are becoming more and more relevant for German companies. In other countries, and in the USA in particular, this topic has gained a great deal more acceptance within the companies themselves. A market player who knows how to work with speed and innovation is at an advantage. We use innovative solutions in an effort to help companies broach this topic in the easiest way possible. At the same time, our mission is security, and we want to be able to deliver a holistic security context right from the beginning.
Sebastian Rohr has been managing director and CTO of Apiida AG since 2016. The topic of security runs throughout his career – among other things, he worked as a researcher for network security at the Fraunhofer Institute for Secure Information Technology.
Picture credit © Sebastian Rohr