Importance of APIs and their Management in Digitalisation Initiatives

Importance of APIs and
their Management in Digitisation Initiatives
Successfully manage your own and third-party APIs to meet
security and compliance requirements!
Roland Wenzke | SEEBURGER AG | House Venue in Bretten, 23.10.2019

© SEEBURGER AG 2019 2
Digitalisation Has its Challenges
COMPLIANCE
Regulation
COMPLIANCE
Compliant with the law
EFFECTIVENESS
Standardisation
SAFETY AND SECURITY
Data Protection
EFFECTIVENESS
Automation
SAFETY AND SECURITY
Scalability

GDPR
Compliance – Legislators Tighten Data Protection Guidelines
Threat of Heavy Fines
The framework for fines has been considerably
increased by the basic data protection regulation.
While the maximum amount was €300,000 per case
in the past, companies are now threatened with a
maximum fine of up to €20 million or up to four
percent of their worldwide annual turnover for
the most serious data protection violations.

Consequences of Non-Compliance
Intercepted e-mails enable scamming
Financial Industry
»Mail servers or e-mails are the preferred
technical target for attacks.«

Data Protection
Especially important for medium-sized businesses!
Total
affected presumably affected not affected

Data Protection
Highest Risk During Data Transfer
data theft / spied
or intercepted
data
computer
fraud
industrial
secrets
copyright
research violation
system
damage or
sabotage
blackmail manipulation of
financial account
data

Data Protection - Billions in damages due to data theft
43 billion euros in losses in the 2-year period
Please estimate the damage to your company in Germany within the last two years caused by the type of offence that has occurred.
Basis: All surveyed industrial companies that have been affected by data theft, industrial espionage or sabotage in the last 2 years (n=343)
Source: Bitkom Research
crime type
Loss amounts within the last 2 years in
billion euros
Image damage to customers or suppliers / Negative media coverage 8,8
Patent infringement (even before application) 8,5
Failure, theft or damage of information and production systems or operational processes 6,7
Investigation and replacement costs 5,7
Loss of revenue due to loss of competitive advantages 4,0
Loss of sales due to counterfeit products (plagiarism) 3,7
litigation costs 3,7
Data protection measures (e.g. customer information) 1,4
Extortion with stolen data or encrypted data 0,3
Other losses 0,6
Total damage within the last two years 43,4

Compliance – Global Players Take a Close Look at Their Suppliers
“Our IT security has everything on the
radar everywhere, every day, every hour.
With the additional networking provided by
the Industrial Cloud, we will know immediately
if an unknown software is installed in a
supplier's IT system. And then we can quickly
assess whether we need to sound the alarm.„
Martin Hoffmann
CIO of the Volkswagen Group on the subject of IT security

API Interfaces Are a New Threat
The writing is on the wall
https://securityaffairs.co/wordpress/87259/digital-id/venmo-privacy-transactions.html

API Interfaces Are a New Source of Danger
There are also many examples of warnings
https://nakedsecurity.sophos.com/2019/03/25/thousands-of-coders-are-leaving-their-crown-jewels-exposed-on-github/
https://securityaffairs.co/wordpress/87259/digital-id/venmo-privacy-transactions.html

https://threatpost.com/critical-cisco-bug-remote-takeover-routers/147826/

https://threatpost.com/internal-accenture-data-customer-information-exposed-in-public-amazon-s3-bucket/128364/

API Interfaces as a Source of Danger
What are the main security vulnerabilities?
The details of the safety standards violation is not always clear.
However typically they take place in the following areas:
Excessive Data Exposure
One speaks of this when an API provides data that is not actually required for the use case. The client
consuming the data can filter it. However, these filters are vulnerable or can be bypassed.
Lack of Resources due to lack of
throttling
If it is not possible to limit the number of parallel calls of an API, this can lead to an overload of the
backend and thus affect the general function of the backend system, up to a total failure. Such a
situation can be caused by an unintentional misconfiguration of the API consumer or by a malicious
intention (DoS/DDoS attacks).
Authentication & Authorization
A sophisticated authorization system is part of the solution to avoid excessive data exposure.
However, the best implementation does not help here if the solution itself offers gaps for an attack for
hackers on the server or the client side, e.g. if authentication tokens are stored unprotected and can
therefore fall into the wrong hands.
Security Misconfiguration
The best security procedures are useless if they are not activated. In general, all aspects of IT and data
security must be included in the implementation.

API-Based Digitization Initiatives
How do you approach the first challenges?
There are more and more application scenarios,
bringing the API interfaces with them
 API-based B2B integration
 Data as service:
e.g. provide information for ad-hoc retrieval
 Industry initiatives such as Open Banking
 Integration of internal and external applications
(e.g. cloud applications like Salesforce and services
from the cloud like Google Geo-Location)
 Provision of services and data about
Mobile Apps
REST and you are set?
API Integration ranges from trivial to sophisticated
Trivial
API integration point-to-point
Standard
API integration with multiple endpoints
Demanding
API integration of multiple systems,
applications, services

What is the successful implementation of API Integration
leading to ?

API-based Digitization Initiatives
Management of security, compliance and profitability?
Typical for API-based digitization initiatives:
 In most cases (as with MFT) these are initiatives that are triggered by the Line of Business.
 APIs are often about consuming cloud services that are designed to be used by a Line of Business.
 The connection to these services is typically achieved via APIs. Typically the use of these cloud services
requires data from the existing internal company systems.
 In the beginning there are only a few use cases which are conencted, but over time the number increases.

Examples of API Scenarios
Companies of almost every size are dealing with an increasing number of APIs:
 Webshop and ERP connections use case: consume APIs
 CRM (Salesforce) to SAP use case: consume APIs
 Connecting Marketo to CRM Solution use case: Consume APIs
 Grant access to price lists for customers use case: provide APIs
 Grant access to billing and reporting for customers use case: provide APIs

API Scenario ‘provide’
Provide APIs internally or externally (‘provisioning’)
Internal API
providing systems
API consuming
Apps & Systems
Applications / System
offering REST / SOAP
APIs

Internal Systems &
Databases without APIs
BIS API Integration
Solution
API integration
Internal API
providing systems
API consuming
Apps & Systems
APIs
3rd Party Solution
providing REST / SOAP
APIs for connected
Applications and
Systems
Unmanaged
APIs!
Internal Applications
providing data via an API
implemented by a BIS
API Integration service

Internal Systems &
BIS API Integration
Solution
API integration
Internal API
providing systems
API consuming
Apps & Systems
App Developers &
App Owners
API Publishers &
API admins
BIS API
portal
BIS API
gateway
API ManagementApplications / System
APIs
3rd Party Solution
providing REST / SOAP
APIs for connected
Applications and
Systems
Managed in regards to: Security, Compliance / Governance, Efficiency
providing data via an API
implemented by a BIS
API Integration service
Managed
APIs!
Managed
APIs!

API Admins &
API Consumers
BIS API
portal
BIS API
gateway
API Management
API Scenario ‘consume’
Access to ‘consumption of’ APIs from external providers
Internal Systems &
BIS API Integration
Solution
API integration
Internal API
consuming systems
APIs provided by
external providers
Unmanaged
API consumption!
consuming externally
provided REST / SOAP
APIs
3rd Party Solution
consuming REST / SOAP
APIs of external
providers
Managed in regards to: Security, Compliance / Governance, Efficiency
consuming data
provided by BIS API
integration coming from
externally provided APIs
Managed API
consumption!

CRM APPLICATIONS HR APPLICATIONS E-BUSINESS APPLICATIONS
e.g. business apps are increasingly booked as cloud services

Management of security, compliance and profitability?
What about you?
Economic efficiency? Implement API connection yourself Introducing a Central API Solution
Few API interfaces
"This is what the provider of the cloud service
should do for us"
"Is it worth it?"
Many API interfaces
"We must get rid of the uncontrolled
growth!"
"We should have done this from the beginning!"
Only a few API interfaces Implement API connection yourself Introducing a Central API Solution
Safety and security "I hope that has all been considered"
Central API gateway provides clear
safety standards
Compliance
"GDPR? I don't even know exactly what data
is being exchanged. The Line of Business took
care of this."
Central documentation of all APIs in the API portal.
Governance processes for the introduction of new
APIs

Benefits of an API Management Solution
Even if it is ‚only‘ about the connection (‚consume‘) of external APIs
Central API catalog creates
transparency and efficiency as well is
reducing costs
Transparency around existing APIs which
avoids duplicate development
Audit trail
Central proof of API usage
API mediation
Enables the decoupling of the used external
APIs from the internally used (API) interfaces
Safety and security
Enables the central, uniform application of
defined security policies. Central protection
for used API keys in the API gateway instead of
decentralized storage in ‚solutions‘ triggered
and / or run by Lines of Business.
Data Leakage / Compliance
Among other things, companies are legally
obliged under EU GDPR and other privacy acts
to protect personal or sensitive data. This also
applies to data that is sent to external services
as a payload in API calls.

What do the analysts (Gartner) say?
Source: Gartner Document “Managing the Consumption of Third-Party APIs”, August 2, 2019 from Mark O´Neill

Overview of the BIS API Management Solution
Manage ‘Provision’ & ‘Consumption’ of APIs
Internal Systems &
Databases Providing &
Consuming data
BIS API Integration
Solution
API integration
Internal systems
Providing & Consuming data
via own APIs
App Developers &
App OwnersAPI Publishers &
API admins
API providing
services
Managed APIs: Security, Compliance / Governance, Efficiency
API consuming
Apps & Systems
EXTERNAL (INTERNET)INTERNAL (INTRANET)
API Integration
platform providing
and consuming APIs
BIS API
portal
BIS API
gateway
API Management

API Management Security Architecture Overview
API Gateway protects APIs - and also needs protection
Internal Systems &
Consuming data
BIS API Integration
Solution
API integration
Internal systems
via own APIs
App Developers &
API admins
API providing
services
Managed APIs: Security, Compliance/Governance, Efficiency
API consuming
Apps & Systems
API Integration
platform providing
and consuming APIs
API gateway
protection
Unmanaged
APIs!

Internal Systems &
Consuming data
BIS API Integration
Solution
API integration
Internal systems
via own APIs
App Developers &
API admins
API providing
services
API consuming
Apps & Systems
API Integration
platform providing
and consuming APIs
BIS API
portal
BIS API
gateway
API Management
Managed APIs

Internal Systems &
Consuming data
BIS API Integration
Solution
API integration
Internal systems
via own APIs
App Developers &
API admins
API providing
services
API consuming
Apps & Systems
API Integration
platform providing
and consuming APIs
BIS API
portal
BIS API
gateway
API Management
anti
DDoS
messenger
mitigation
WAF
API gateway
protection

Explanation of the previous slides:
 API Gateway protects APIs as follows:
 Protection against unauthorized access internally and externally
 Protection against unauthorized content (inbound and outbound)
 Protection against excessive and forbidden consumption
 The API gateway itself must also be protected:
 Web Application Firewall: Analysis of the traffic between the different components
 Anti-DDoS: protection against DDoS attacks that limit availability
 Bot mitigation: protection against unwanted and automated attacks

API Management
Summary
The following conclusions can be drawn from the points presented:
 The use of APIs continues to grow strongly - and with it the associated dangers.
 For security and compliance reasons, API interfaces should be treated as any sensitive file transfer:
 Manage Files: Managed File Transfer
 Manage APIs: API Management
 It is recommended to start ‚early‘ - not only when an uncontrolled growth in API usasge has occurred.
 ‚Management‘ not only arises when one‘s own APIs are opened externally, but also from the beginning
when API-based services are ‚consumed‘.
 With the SEEBURGER BIS platform, you are equipped to tackle these challenges successfully.

Thank you very much
Questions or remarks?
We are here for you!
www.seeburger.com

© Copyright 2019 SEEBURGER AG. All rights reserved.
The information in this document is proprietary to SEEBURGER. Neither any part of this document, nor the whole of it may be reproduced, copied, or transmitted in any form or purpose without the
express prior written permission of SEEBURGER AG. Please note that this document is subject to change and may be changed by SEEBURGER at any time without notice. SEEBURGER‘s Software product,
the ones of its business partners may contain software components from third parties.
SAP®, SAP® R/3®, SAP NetWeaver®, SAP Cloud Plattform & Cloud Plattform Integrator®, SAP Archive Link®, SAP S4/Hana®, SAP® GLOBAL TRADE Service® (SAP GTS), SAP Fiori ®, ABAP™ and SAP ARIBA® are
registered trade marks of the SAP AG or the SAP AG Deutschland (Germany). Microsoft, Windows, Windows Phone, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of
Microsoft Corporation in the United States and other countries. Linux is a registered trade mark of Linus Torvalds in the United States and other countries. UNIX, X/Open, OSF/1, and Motif are registered
trademarks of the Open Group. Adobe, the Adobe logo, Acrobat, Flash, PostScript, and Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and / or
other countries. HTML, ML, XHTML, and W3C are trademarks, registered trademarks, or claimed as generic terms by the Massachusetts Institute of Technology (MIT), European Research Consortium for
Informatics and Mathematics (ERCIM), or Keio University. Oracle and Java are registered trademarks of Oracle and its affiliates.
All other product and service names mentioned are the trademarks of their respective companies.
4invoice®, iMartOne®, SEEBURGER®, SEEBURGER Business-Integration Server®, SEEBURGER Logistic Solution Professional®, SEEBURGER Web Supplier Hub®, WinELKE®, SEEBURGER File Exchange ®,
SEEBURGER Link ®, SMART E-Invoice ® and other products or services of SEEBURGER which appear in this document as well as the according logos are marks or registered marks of the SEEBURGER AG in
Germany and of other countries worldwide. All other products and services names are marks of the mentioned companies. All contents of the present document are noncommittal and have a mere
information intention. Products and services may be country-specific designed. All other mentioned company and software designations are trade marks or unregistered trade marks of the respective
organizations and are liable to the corresponding legal regulations.
 The information in this document is proprietary to SEEBURGER. No part of this document may be reproduced, copied, or transmitted in any form or purpose without the express prior written
permission of SEEBURGER AG.
 This document is a preliminary version and not subject to your license agreement or any other agreement with SEEBURGER. This document contains only intended strategies, developments, and
functionalities of the SEEBURGER product and is not intended to be binding upon SEEBURGER to any particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SEEBURGER at any time without notice.
 SEEBURGER assumes no responsibility for errors or omissions in this document. SEEBURGER does not warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement.
 SEEBURGER shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation
shall not apply in cases of intent or gross negligence.
 The statutory liability for personal injury and defective products is not affected. SEEBURGER has no control over the information that you may access through the use of hot links contained in these
materials and does not endorse your use of third-party web pages nor provide any warranty whatsoever relating to third-party web pages.

Importance of APIs and their Management in Digitalisation Initiatives

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Importance of APIs and their Management in Digitalisation Initiatives

Ähnlich wie Importance of APIs and their Management in Digitalisation Initiatives (20)

Mehr von SEEBURGER

Mehr von SEEBURGER (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Importance of APIs and their Management in Digitalisation Initiatives