Gartner Research Director Mark O’Neill talks about API challenges, the latest API trends, and the steps organisations should take to design more secure APIs that can evoke a faster response. He tells us about the growing importance of API security and the industry adoption of standards such as OAuth 2.0 and the Open API Specification 3.0.
API (Application Program Interface) is a software intermediary (a set of functions and procedures) that connect two applications and allow them to talk to each other using open standards such as XML. It facilitates the exchange of data and instructions between the two applications. For instance, when you use an app on your phone to transfer money from your bank account to a utility provider via a payment app, it is enabled through APIs. Think of APIs as the “hooks” that connect various applications to facilitate the exchange of messages between them.
Excerpts from the interview:
DC: What are the challenges of developing and integrating APIs for businesses today? How are organisations responding to these challenges?
Mark O’Neill: One of the challenges has been the lack of API standards. In many industries, there are no APIs predefined for that industry. So organisations have to design their own APIs. They need to ensure that those are well-designed APIs and they should be thinking about how to do versioning, and so on. That is changing in industries like Banking because Banking is regulated.
The other challenge for APIs is that there is a lot of pre-integration, often using proprietary adapters. In some organisations we find people might use direct integration into the system rather than using APIs, because they think the APIs might add some latency or more complexity. A lot of organisations are opting for an ‘API first’ approach — where they ask developers and integrators to first look for APIs and not do direct integration.
Direct integration locks you into technologies, and so it is difficult to move between different systems. But APIs give more flexibility.
DC: What about API security?
Mark O’Neill: Yes, that’s another big challenge. Many API initiatives are about unlocking data and getting data out of systems. This is a big concern for security professionals as most security issues are data breaches. Many organisations that develop APIs are concerned about security. They want to ensure that APIs are used securely. And this is particularly important with banks, which share their data with Fintechs. That’s where you use API management and API gateway products. These can apply security to the APIs and can selectively encrypt some data and apply authorisation to the API traffic.
Application security vendors are now aware of APIs. Web Application Firewall vendors, vendors of Application Delivery Controllers (Load Balancers) are being asked questions about APIs. So they need to have some API security as well.
A lot of organisations are opting for an ‘API first’ approach — where they ask developers and integrators to first look for APIs and not do direct integration. Direct integration locks you into technologies, and so it is difficult to move between different systems. But APIs give more flexibility.
DC: What are the big API trends happening now?
Mark O’Neill: There are a couple of big trends with APIs. The first trend is about the way web applications are being developed today — it is moving to a single page application approach. This is more responsive and very interactive. Within the web application, it is calling APIs to get its data. For example, it could call Google Maps, and you could move around the map, within that same web page (without going to the Google Maps website). The application is pulling real-time data from Google Maps through API calls in the backend. This is also seen in gaming applications. Frameworks like Angular and React are calling APIs.
We also see a trend of Multi-experience, where an application is delivered with a web interface or a progressive mobile application. It could also be delivered through IoT and the interface there is also being enabled through APIs. PWA (Progressive Web Application) is a framework for creating web applications that could be delivered on mobile. And those web applications are calling APIs.
The other trend is event-driven programming, which is suited to high volumes of data but also real-time scenarios. This is ideal for high polling activities. We now have support for event-driven patterns in API definitions thanks to the Open API Specification 3.0. That includes the ability to define call-backs and handlers for events.
We are also seeing more streaming APIs for high volume of data. Streaming APIs are more efficient because you are not doing many request-response pairs; instead, you are getting a stream and when the data changes you get updated data. Twitter is a famous example: you get the stream of tweets coming from Twitter.
DC: What will be the focus of the next generation of APIs?
Mark O’Neill: In the next generation of APIs there will be more emphasis on security. We also see a move to microservice architecture. People are thinking about ways to manage and secure those microservices.
DC: Microsoft and others are moving from the basic authentication to the OAuth (Open Authorization) 2.0 standard. How does it enhance authorisation for APIs?
Mark O’Neill: OAuth 2.0 is a standard that enables authorisation for APIs. An API provider like a bank, for instance, can ensure that the owner of a bank account (customer) authorises some app to access their bank account. OAuth supports Scopes or what the API consumer is allowed to do. It allows the customer to define what the app can access from the bank account — perhaps just view the bank balance or the last five transactions. With OAuth, the API provider can offer very fine-grained authorisation. It asks what the app is allowed to access. The customer can also remove those authorisations. OAuth is important for open banking.
In the next generation of APIs there will be more emphasis on security. We also see a move to microservice architecture. People are thinking about ways to manage and secure those microservices.
DC: Which verticals can benefit from OAuth?
Mark O’Neill: Healthcare has a lot of fine-grained authorisation scenarios and OAuth is good for that. It can be used in Healthcare for making sure that you can view your own health records, and also give selective access to others to view those records. You can authorise certain family members or doctors to view your health records.
In Government, you can authorise an accountant who is preparing your tax returns, to access your tax records. They could have selective access.
DC: When designing security policies for APIs what are the crucial things to keep in mind?
Mark O’Neill: The big problem with APIs is data breaches. We saw this in the U.S. with the IRS (Internal Revenue Service) brought out APIs to read tax transcripts. It was possible to view many tax transcripts, but that was not the intention when designing the app. So they had to fix that problem. That means security policies for APIs should look for any unusual behaviour. So if you have an API for health records and you notice that one client is pulling down millions of health records all at once, it should be able to detect that. The problem is many organisations do not have API gateways in place to do this. The other problem is, APIs are designed to provide fast access to information. That makes it vulnerable to people abusing that ability. So it is essential to have policies in place to check authorisation and also to check for unusual traffic and unusual behaviour. It is difficult to do this, but we are starting to see some products that use AI for this.
DC: What’s the opportunity for start-ups who design APIs?
Mark O’Neill: I have spoken to some start-ups for API security, and I see that they are doing exciting things with AI, to look at the API traffic. The idea is to look for unusual traffic and block the attacks before they happen. That’s an excellent opportunity for start-ups.