What Are APIs and Are They Worth the Risk?

If you’ve shopped on Amazon, tweeted something, or accessed company data in Salesforce, you likely used an API. API stands for Application Programming Interface and has become a ubiquitous part our internet and mobile experience today, for both consumers and for businesses.

Essentially, an API is the interface between different systems and information, which lets one program speak to another by exchanging data in the background, behind the scenes. By definition and function, we often don’t recognize that we’re utilizing an API.

APIs are the technology that ensures people have seamless (and expected) user experience on their phones and browsers. For you, a business owner, this could mean allowing your product or service to talk to another product or service to either make your internal systems more efficient for staff or to improve your external customer experience; both of which can grow and improve your own business.

As an example, Google has a maps API to access its map functionality – often times, businesses will embed this on their website so people can easily map directions to an office or service location. Amazon, too, offers a product advertising API so that developers can create programs to advertise products and monetize websites. APIs exist to serve a vast range of needs and new interfaces and uses are being created every day. In fact, one source that claims to be the largest API directory offers a searchable list of more than 20,000 APIs!

When it comes to answering the question of what is an API, we see a lot of analogies. APIs are like a gate, in which some information and data is intentionally released but other information is kept secure. Or, you could consider an API as providing all the necessary building blocks for programmers and developers who put the blocks together to create the programs that we all use, every day. You can also think of an API as an agreement or a contract between different datasets, software, and applications.

One helpful framework for thinking about APIs is to break the technology down into its parts: Application, Programming, and Interface. Upwork provides a helpful analogy of withdrawing cash from an ATM, which we’ve summarized here.

  • Application: The application is the machine that produces the solution or result, funneling requests to and from databases. In this example, the application is the ATM machine. To disperse your cash, the ATM, or application, must communicate with both you and the bank.

  • Programming: The programming component is what translates input into output; it’s the engineered part of the application and it’s typically built by programmers. In this analogy, it’s the programming that allows the ATM to contact the bank, confirm your funds, and disperse your cash, all behind the scenes and in near real-time.  

  • Interface: The interface is the actual software through which the input and output happens. With the ATM example, the interface is the components of the ATM, like the screen, keypad, and cash dispenser.

What are the benefits of an API for my organization?

APIs are an emerging technology that are increasingly powerful, versatile, and ubiquitous in all industries of business, including financial services, healthcare, retail, and professional services like legal firms.

Internally, at your organization, APIs can drive efficiencies between your people, your data, and your practice management tools. Externally, they can help boost your business, sales, and improve customer or client experience. For example, many legal firms have invested in Clio, an open API law practice management software that connects multiple apps, information, and functions (like accounting, document storage and signing, and timekeeping) so that more can be done from a single dashboard.

How does an API increase risk to my organization?

Today, cybercriminals are continually developing new tactics to compromise data at firms of all sizes. As a business owner or manager, you know that it’s more important than ever to find ways to mitigate threats against your data, systems, and operations. Nefarious actors know this too. As you invest in measures to better protect your information security (which is a very good thing), cybercriminals will look for new ways to get in. Unfortunately, one of the next points of entry and target for attackers may be APIs.

APIs are typically considered public or private: some companies publicly release their APIs in the hope that developers will use and build upon them; private APIs are often developed and used internally within a company, to bring multiple systems and software together into a more efficient experience for you and your staff. Proper security is critical for both public and private APIs.

APIs present a risk for many reasons, including increased visibility, shared responsibility, and simply more opportunities:

  • By design, the build and implementation of APIs is clear and well-documented for programmers and other technical experts. This can provide clues for nefarious actors into internal databases and other objects.

  • APIs present a more accessible “roadmap” to the application that hackers can exploit. Typically, outside of APIs, this information is hidden under other layers with other applications.

  • A further complication is that the security of APIs also rests on the actual developers who create it. While good programmers understand the risk factors and will incorporate this knowledge in their design, mistakes do happen.

  • More APIs equates to more points of entry into your organization and operations. This means a greater “attack surface” or “vectors” for hackers to manipulate.

Here’s a real-world example from café chain Panera Bread. In 2017, Panera left an unauthenticated API endpoint exposed on the company’s website. The information of more than 37 million customers (including username, email, phone number, birthday, and last four digits of their credit card) was leaked over the course of eight months.

Attacks like this reinforce the need to strike a critical balance between minimizing the risk of APIs while leveraging their myriad benefits. Complicating the matter is that APIs must remain intentionally functional and agile for both programmers and users.

Are APIs worth the risk?

So, let’s circle back to the question we posed as the title of this article, are APIs worth the risk? After all, they seem to be getting more robust and powerful every day, shouldn’t they also be getting safer? For example, the Google Maps API we mentioned above has gone well beyond directions from point A to point B. The platform now offers a “Places” feature that offers global, real-time location information. Businesses like yours can use Google’s comprehensive datasets to help customers not only find you but also to attract reviews of your service, and to do so in a flexible and scalable way as you grow.

We believe that APIs are absolutely worth the risk, but only with the proper security or support in place to mitigate risk and reduce potential damages to the integrity of your firm’s data and operations.

There are three main security measures to consider with APIs: identification, authentication, and authorization. This is where a high-quality, people-first managed IT services firm (like us!) can help. Especially if your firm is new to creating or leveraging APIs, the best time to work with experts is now, to establish an early and consistent approach to these three measures of security.

While there are tools like API managers that can help reduce some of the risks, these are also not foolproof. A managed services firm with deep API and cybersecurity experience can help you clean incoming data, set up processes for authentication and authorization, offer runtime security management and vulnerability detection, and conduct security scans to identify code flaws.

While APIs present increased risk for businesses, the benefits outweigh the risks. The important thing is to take appropriate measures to build, implement, and use APIs in a safe yet scalable way, often by working with a trusted service provider to assess risk and proactively thwart attacks.

Please reach out to our team at N8 Solutions today to hear more about how we can help you harness all that APIs have to offer, today and well into the future.