Analyst Chat #90: API Management and Security

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm lead advisor and senior analyst with KuppingerCole analysts. My guest today is Alexei Balaganski. He's a lead analyst in the area of cybersecurity. Hi Alex. Good to see you.

Hello, Matthias. Thanks for having me again. Great to have you, and we have a very good reason for you joining me today because you've just recently finished the work on a Leadership Compass and this is just being published. So it will be available once this episode is published. So it's really fresh, hot from the press. This is about API management and API security. I find that I understand that this is the third revision of this document, so we can also have a look at the evolution of this market.

What were the first interesting points that you would like to point out when you want to talk about this leadership compass? What has changed?

Well, I guess first I have to explain, or if you work, like why do we actually have to smash these two supposedly different topics together in one report? It all started back in 2015. I believe when we first attempted to actually make a leadership compass specifically on API security, unfortunately back then, there was literally no single answer from any vendor mobily back then, just to kind of position themselves as an API security vendor. But no one was talking about API management that was like the hottest topic, our own, because everyone wanted to publish their API APIs.

This whole boom of the API economy was growing. So yeah, API management was the thing, the guy security was not. So we had to make a difficult decision and try to watch this whole market from the customer's perspective and explain, yes, API security is already important. It will be more important than the future, but I guess not many people still have a feeling that they need API security separately. So we did a general overview. The next one was in 2019 and I believe we already had like five companies calling themselves API security vendors.

Now in the latest revision, which we just published about a week ago, we have 20 companies in total and basically everyone says, yes, we absolutely do IPA security. Even if it's probably not. The only thing we do absolutely have lots of IP security features. The market is definitely evolving towards the general kind of the general public understanding API security is a must have you cannot expose your company's most sensitive data or most critical interfaces without securing them properly.

And making sure that they are compliant with stuff like GDPR, a PSD two for open banking or PCI DFS for financial companies and so on and so forth. So yeah, API management and security, or the two sides of the single coin nowadays. And I believe we can no longer speak about those two as two separate topics, Right?

So if we dig a bit deeper into these, into these two aspects of managing the API APIs and making them available in a secure manner and securing them, what are the typical functionalities that you would associate with a, with such a product that is in this leadership compass when it's about management and security of API APIs?

Well, I mean, first of all, I guess, just to recap quickly, the API in, in the essence of just an application programming interface, basically it technology to expose your software's functionality or data in a standardized manner so that other vendors other customers can reach out and call your program and maybe send you some data and receive some data in exchange. Obviously nowadays it's still just about like helping developers program something quicker.

It's really good of making sure that two different companies, two different digital businesses can exchange their data or even sell their data as a product or consume something from a third party. Like whenever you want to know, or like the, by the forecast, you probably reach out to a standalone company like the weather channel, and now where want to publish something on Facebook or Twitter, your client from on a mobile phone reaches out to the Twitter's API.

For example, when you buy something from Amazon, your request probably go through a dozen of different APIs from different partners and third party vendors and contractors. So basically API APIs are the glue that holds the modern digital logistics together. And you have to make sure that your API works all the time. It's kind of be Hecht that your sensitive data cannot be leaked, that you stay compliant. So basically keeping your API working as it's supposed to work is mission critical. So an API nowadays is just an important power and phone lines women 50 years ago.

So of course you cannot separate API management and API security anymore because both belong cause all this basic probability to make sure that your digital business is operating. You've mentioned that there are now more than 20 vendors in that leadership compass. So does that also reflect the evolution really on the market? Is this really an accelerating area of it? Is this something that reflects the, the, the actual reality and how does this integrate with overall security infrastructures? Because this is actually just, you could think of it as a silo, just the API.

So how does this integrate into an overall security infrastructure? Well, that's a really interesting point you're making now and I would have to kind of address it from two different perspectives. So first of all, we were talking about API quote, unquote management in the traditional sense.

Originally, it was all about taking your existing API, exposing it to the world and making sure that you can basically count how many times it was called that, that you could monetize it and stuff like that, that things still remains important, but I believe it just became an absolute commodity, basically API management in that traditional sense you can get for free. It could be an open source product. It could be a basic service from a cloud service provider like led kind of API management doesn't make any sense nowadays. And our value added product.

It has to be able to do more and some companies see it, or API management as a kind of an integral part of a bigger picture of what they call enterprise integration platforms. So in that regard, API APIs just become one of the channels that data can flow into your company. That ought to be for example, streaming data from an IOT device or some business data you receive from any different channel from your partners. It's just one of those channels. And then of course it becomes integrated into a bigger, a much more sophisticated and flexible and open data exchange platform.

On the other hand, we have this interesting developments in the area of application development methodology. You have containers, you have microservices have this cloud native, highly distributed and loosely coupled architectures, and they all have to operate through API APIs better scale, which was absolutely impossible, like five years ago, a typical modern cloud native application that have thousands of API APIs, which you have to quote unquote manage somehow.

So basically the API management in area growth with technologies like service measures, fine-grained centralized, policy-based excess management, different kind of privacy enhancing and security enhancement technologies, encryption, key management. It all belongs to, I would not call it a cybersecurity because it belongs to the foundations of making your API available. And then we have a totally different story of API security.

Again, five years ago, nobody would call themselves an API security vendor a couple of years ago. Have you already had them pretty developed and booming market for specialized security solutions, which would cover such really diverse areas like for example, security monitoring, basically making sure that some kind of machine learning engine observed your API traffic flow identifies anomalies and basically tells you when something looks suspicious.

On the other hand, you're talking about proactive API huddling, basically analyzing that API definition, commerce, all the allow it limits for every piece of data and to make sure that a hacker cannot abuse your API. But for example, sending too much data or an unpredictable data part on which disrupts your business logic and stuff like that. And then of course you would have protection from distributed denial of service attacks and SQL injection. So quote unquote, traditional web security threats. So API security is getting complicated and complex and more and more sophisticated.

But on the other hand, it's getting more and more embedded into APA management. So Emery API management platform nowadays have some basic security capabilities, even though they might be not yet sufficient to cover everything.

This is why, as I mentioned of those 20 vendors, I would say like less than half of those traditional API management vendors and much more specialized and pretty sophisticated security vendors, I got the point and you've mentioned the, the escalating speed that, that applications are developed and how they grow and how API APIs are getting to the core of these applications.

And if applications change over time, if we talk about software defined networks and software-defined infrastructure, I think it's also a real challenge now to judge just find the API APIs to manage, to, to discover them, to include them into such a system.

We all know that that developers and the business is looking for solutions, not necessarily for how do these modern solutions support these, these new ways of designing applications and systems by protecting these API APIs, maybe automated is the other such mechanisms you've mentioned machine learning is there is that detection, the discovery of API APIs to make sure nothing gets missed.

That's actually a great point you just made because this is something which I, as kind of an analyst focusing on this field, it's still struggling to explain even to some of those vendors in the market that not all API APIs are equal. Some API APIs arc are created by the business themselves, which in their crown jewels, if you will, to explore the sensitive and extremely valuable data. And there are also different types of other types of API APIs.

For example, if you run a Kubernetes cluster, or if you using a cloud service, you have those management APIs exposed, which could be used to disrupt your basic availability of your applications. You also have a lot of third party APIs. For example, if you have a mobile phone and you want to access some third party application, again, B to B or slack or JIRA or any other business application you're using, it also has an API which also can be exploited by hackers and everything. Now have an API. Your printer probably has one.

I don't know if you remember, but there was a big story a couple of years ago with one casino was Hecht through an API in a pump use to IRA. A fish tank sounds crazy, but this is a legitimate and very real potential attack vectors. So ideally again, a security solution has to cover all of those APIs.

On the other hand, if you focus on all of those APIs, kind of in the same manner without being able to, or doesn't by risk and potential impact, you would end up with the same situation we had with SIEM solutions a decade ago, when you have a security tool that generates thousands of alerts daily, and you simply have no time to investigate or react to them. So we're kind of APS security vendors. They have to find this balance between being able to detect everything and only focusing on things that matter.

And the problem with not only customers themselves can identify what might've to them based on their business risks. So you did this analysis, this assessment of the current status of the market. So as it is eight leadership compass, I assume there are leaders. So there are solutions that can actually solve the problem that you just described. If we just name a few of the vendors that you had to look at.

So on the one hand, the security vendors, on the other hand, the traditional API management, API security vendors, who are the ones that one should look at, who are the ones that are in the upper right corner when we look at the leadership compass, right? So while our, as you probably know, I want to lose your compass, kind of make a distinction between the overall leaders, basically the products or companies, kind of which the best, what is the best balance of everything. And of course, specialized writings on various aspects of pain management or security in this regard.

So if our viewers or listeners are interested in all those nitty gritty in details, they probably should read the actual report, but among the overall leaders, actually, I'm happy to say that we have a very healthy mix of API management companies, the larger ones, like for example, Google Apogee, or Broadcom layer seven and trite Heights, for example, as well as a smaller, but really innovative and specialized pay security companies like social security, for example, which focuses on real time detection of unknown threats based on machine learning or a company called 42 crunch, which focuses on the other end, making sure that your API APIs are proactively hardened and secure, even before you actually write code for them.

Basically you start shifting left all the way and to make sure that your API is kind of created secure by design. So I would say that lot of non, or those companies big or small deliver you with a full management and protection in one package, but that's, that was never the goal of this report. It helps you identify again, a healthy mix or of capabilities you actually need for your company, and then identify which one does provide those capabilities. And of course, all of those companies, they offer technical integrations, business partnerships, large partner networks.

So if you're looking for a managed solution out of the box, you could probably find one as well. And when all those components tightly fit together, then you can get a kind of a robust, flexible, extensible and secure API management infrastructure.

And again, for all the details I recommend looking into the, and I believe in the end of September or early October, we are planning a webinar where I would present all the detailed results of the report as well. So anyone can join and ask questions and have a look at our graphs and charts. Great.

That's a, that's a good hint to have a look at also this webinar. And it needs to be clearly understood that the leadership compass is not just recommending a set of product. It's a tool that the reader can use to identify the, to understand the market, to under, to identify the candidates for potential solutions, but also to apply your own requirements, your own, a specific situation within an organization where the right solution fits in. It does not say that which is in the upper right corner is the perfect product for you or the perfect solution for your organization.

But this is a general approach. And you always need to, to, to individualize the results of such, such a leadership compass to get to the real, through the right solution that suits you and your requirements. I think that it's really important to understand it's, it's not that easy, unfortunately.

And, and of course, we often assist our advisory customers in finding the right solution for them based on the groundwork that you do, for example, in the CA in the area of API security and management, but to get to the, to the right solution from a commercial, from a technical, from a requirements perspective, this is really important to do this in a separate exercise. Exactly. And this is why we, we don't just offer you a single chart showing like, yeah, the one on the right is great. The one on the left of bed, no, not at all.

We also offer your various combinations of like market and innovation and product leadership capabilities as separate graphs. And of course, each company gets weighted or functional rating against at least eight different functional areas. So you would see something like a spider chart, which will show you whether one company, for example, is focusing on excess management while the other is putting all the R and D into machine learning and security analytics, or the other one might be focusing on, I don't know, proactive hardening.

And of course the ideal company would have high ratings on all of those HRS, but in reality, that doesn't happen that often. So you have to kind of apply your own logic and understand that.

Yes, for example, if you're only focusing on open banking, you would probably have totally different requirements than that casino with a fish tank. Exactly. And you've mentioned the webinar, the leadership compass is out already has been published. That will be the EIC event in September in Munich, where you can get in touch with us in person, or if you just need to have specific questions around that topic, please get in touch via any channel that is on our website, where you can reach out to us, including mail or Twitter or whatever.

And I think from my perspective, it's great to see Alex say that you are really exercising this, this, this in-depth market research between the traditional large vendors and also identifying the, the, the new ones, the new entries, which are always a bit steering up the market as well. So that's great to see that this is also evolving here. Any final words that you would like to say around that topic of the leadership compass, something that struck you when, when doing that research?

Well, what struck me the most after all these years, the market is still evolving rapidly. And in some areas even unexpectedly, you've seen a few really interesting acquisitions, and this is not someone that's actually tried to consolidate all those disparate capabilities in a single more useful platform, which is great. On the other hand, we observed them that the whole kind of scope of API management and security totally, it's totally changing now because we have this new API types.

We have new environments, or there are still a lot of things to learn and to watch in the future, API security will change dramatically over the next few years. So this is definitely not our last leadership compounders area or watch this space.

Great, great summary. Thank you very much, Alex, for joining me today for giving a first glance on the actual, on the current leadership compass, API security and management, and thank you for being my guest today. Thank you. Bye-bye.