Internal Considerations

Topics to reflect on internally when considering a new product or solution.

Top Prerequisites – Technical

Your organization should be equipped with the appropriate foundation to support full-featured API management and security architectures. Even though with the modern cloud-native API management platforms there is very little to deploy and configure, one should at least consider the following before starting an API management or security project.

CI/CD integration

Manual API infrastructure management is not a sensible option for any sufficiently large project. Existing developer toolchains and continuous integration/continuous delivery platforms that can be integrated with API management are crucial for automating API infrastructure management as well as incident response.

Network architecture

The technical possibility and effort for the deployment of API gateways at various points of existing network infrastructure must be evaluated. The same applies to the deployment of security solutions which can either operate in-line, on a passive CPAN or TAP port or completely out of band.

Cloud deployments

Deployment of API gateways in the cloud is the easiest and most cost-effective option, but its feasibility and compliance with security policies and regulations must be carefully evaluated.

Big picture of cybersecurity

API security capabilities of the platform must complement and interoperate with existing cybersecurity tools, as well as corporate identity and access policies and governance tools. Integration into an existing SOC or SIEM platform is the very minimum expected from a sensible architecture.

Defined roadmap of deployment

Architects must create a plan and schedule for deployments. Depending on the size of the organization in question, a phased approach may work best.

Monitoring & Evaluation

Adequate metrics must be defined for measuring the effectiveness of the project. Base rates of for example latency, throughput, and false positives should be decided and measured during the project lifecycle.

There are also various organizational prerequisites.

Top Prerequisites – Organizational

A successful API Security vendor selection depends not only on the technology selected. There are also various organizational prerequisites that are important to consider. The following table lists the Top 5 organizational prerequisites.

Defined responsibilities across stakeholders

Managing the full API lifecycle consistently requires tight collaboration between developers, operations teams, security teams and, last but not least, business stakeholders that focus on deriving monetary value from APIs.

Project ownership

Lack of centralized ownership of APIs and their underlying infrastructures across different business units and IT environments is the biggest obstacle for having complete visibility and uniform security policies for all APIs.

Infrastructure ownership

If an on-premises solution is chosen, system owners must be identified. In the case of SaaS, the system ownership role is reduced, but a small team of cloud administrators is generally assembled to manage it.

Business case

Train users to avoid suspicious emails and attachments. Train responders how to investigate incidents, contain damage from events, and restore to a fully operational state.

Costs and Sustained Investment

A valid business case for the project is a major prerequisite that defines which core capabilities are required from the API management platform and which API risks must be dealt with first.


Although API management and security solutions arguably have lower upfront cost requirements than many other security tools, having a strategically allocated budget helps with project roadmap planning.

Risk rating of systems (and information)

Understand the risks to systems and, better, information assets. Base security policies on risks and appropriate mitigation techniques.

Guidelines and policies

Ensure that guidelines for information security in general and API security are defined and mapped to policies.

Developer awareness of security best practices

The efficiency of any API security solution is critically dependent on making it the part of every phase of the API lifecycle, especially at its early stages. “Shifting left” and making security an integral part of API design requires awareness and collaboration from developers.

Defined Processes

Processes must be defined to assure that appropriate responsibility is assigned. Who administers the solution? Who guides the internal roadmap? Collaboration between traditionally disparate teams requires these processes to be carefully designed and consistently implemented, with supporting tools if necessary.

We sometimes see situations where organizations struggle not because of technical weaknesses or underperforming products, but because of a lack of organizational maturity.