Webinar Recording

API Management and Security: Don’t Trade Protection for Convenience


Log in and watch the full video!

Once a purely technical concept created to make developers’ lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. As companies are struggling to maintain their business agility, to react to the ever-changing market demands and technology landscapes, the need to deliver a new application or service to customers as quickly as possible often trumps all other considerations.

Often, security becomes an afterthought at best or, even worse, it is seen as a nuisance and an obstacle on the road to success. While the success of an API is measured by its adoption, security mechanisms are seen as friction that limits this adoption. There are also several common misconceptions around the very notion of API security. In the latest Leadership Compass API Management and Security, KuppingerCole not only places strong emphasis on API security but expands the coverage to incorporate every step of the API lifecycle.

Watch this KuppingerCole webinar recording and learn:

  • Why the API Economy is one of the most important current IT trends.
  • How to ensure consistent management, governance and security of corporate APIs.
  • About the current market trends for API management and security solutions.
  • Why there is no “one stop shop” for API security yet.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
All right, ladies and gentlemen. Good afternoon. Good morning. Good evening. Depending on, where are you connecting from? Welcome to the first call webinar of the year 2020. My name is Alexei Balaganski. I am the lead Analyst at call and today I am actually not showing by anyone. It will just be me giving you the overview of the latest development in the API management and security market. And our tagline for today is to not trade protection for convenience. But before I begin just a few words about keeping a call as a company. So we are an Analyst house headquartered in Europe, which is a global reach that's represented by a team all the way from the west coast, us to UK and Germany, of course, all the way down to Australia and Singapore, we publish a broad range of security, sorry of research papers on topics, such as cybersecurity, identity and access management and artificial intelligence. We of course offer various events. Some are free online webinars like this one or what we do or have quite a few large real world conferences. And I will talk about them in a minute.
Recently, we have also started a new online content and research platform, which we call KC plus where you can find all our research archive, all our recent and past publications available for you to browse and search and access from anywhere with one easy payment. So please have a look. So here are some of the major events we are planning for this year. Of course, starting with our flagship conference, EIC, the European identity cloud conference, which will again for the 14th year already take place in Munich, Germany in may. And we will have, or if you are more modern and interesting events in various research areas, we cover cast tech will obviously be about customer management and consumer identity, identity management, and knowing your customer and all the stuff about this topic. Cybersecurity summit will be our fourth one. I believe this fall in Berlin. And finally I am the most excited about new cybernetics world, which will be our first event, blending multiple physical locations with the virtual world.
Looking forward to it, definitely looking forward to seeing some of you there. And as always, you can find more information at our website, copy a call.com some housekeeping rules or you are on muted centrally. So you don't have to worry about your microphones. We are making the recording of this presentation and to be published on our website, along with the slides and every attendee, even though who could not actually be with us live, we will get an email with a link accessing those materials. We will have a Q and a session by the end of the webinar as usual. And you can submit your questions anytime using the appropriate tool, that questions box on the go to webinar control panel.
And I guess without further do let's just start our today's topic. Or some of you who have attended our earlier webinars may have seen this slide before everything is connected. Everything the whole world is experiencing this digital transformation and among other exciting development, such as cloud and IOT and AI and other hot topics. APIs are unfortunately not mentioned as often, although APIs are undoubtedly the backbone of this digital transformation in the world where data, the digital data is for many companies, the product, the bread and butter of their business APIs provides the necessary logistics to deliver this data to consumers, to exchange it securely and reliably. And of course, to, to allow businesses monetize the data in a consistent and automate it and easy way that the whole point of APIs. And you probably know that APIs have started long ago. The idea that applications or machines or different parts of code should exchange data in a standardized way dates back to the 1960s.
And the first APIs probably came along with the first networks and with the growth of the internet and the enterprise networks have seen development of really interesting standards like soap and XML, RPC, but only when the cloud came and only when the whole digital transformation actually gained momentum. Every seen almost defacto broad adoption of rest APIs. Why? Because they are easy to implement. They do not require any preliminary design or description like the previous standards like soap have demanded. They are extremely lightweight. They extremely well translatable to existing data structures. So API rest APIs, it is, and rest APIs have really exploded in the latest decade. Now they are powering all those businesses exchanging data between them and with us, the consumers, unfortunately kind of the best selling point of first API. The simplicity was also their darkest and deepest problem because APIs were never designed to be secure. Security was never an aspect in neither in the rest protocol nor the, the first API management platforms, which appeared ago. And it took us really till the year 2019 or the last year where people actually started to talk about API security in earnest because of the huge number of data breaches and widely publicized cyber attacks on companies, small and large Facebook, us postal server, Instagram, and dozens and hundreds and thousands of smaller companies. So API security is finally something which everyone should be thinking about.
And this is why in this, this webinar, I am going to be talking about the findings of our recent leadership compass on API management and security. But before that, I would like to address one very popular question, if you will, or just the statement that APIs are not important because API is just kind of a variation of HTTP. So if you already have a web security solution, like a vast application firewall or anything like that in place, and you already have your APIs covered well, unfortunately it's, I mean, keeping the call itself doesn't have any capabilities to actually measure how big the API traffic is among the whole traffic of the whole internet. What we have the next best thing we have the report published by Akamai one of the largest content delivery networks in the world last year. And it's gonna show that API traffic nowadays is actually, it actually accounts for the vast majority of all traffic over the internet.
So late 2018, early 2019, it was 83% of all traffic and HTML. So the human readable webpages traffic went down to only 17%. And you can also see that Jason, that the data format, which powers the modern APIs is now the single most popular content type on the internet. It's already surpassed all the JPX and gifts. So all those CA photos and memes of the internet. And even though the they'll probably never suppress the video traffic, but even companies like Netflix actually, and YouTube, of course, actually heavily rely on APIs to deliver their video data to customers as well. So APIs are kind of big and important to ignore.
First time, keeping a call has actually started to analyze and publish something on the API security market was back in 2015. So five years ago, that was the, the time where we have published the first edition of our leadership compass and API management and security. And it's really interesting to compare the market back then with what we have observed with our most recent edition, which came out in December last, in last December, first and foremost, API management APIs in, in general API are a thing. APIs are a thing. So API management is quickly becoming an commodity. It's no longer Thompson, which has to be specifically developed for solving a particular problem of publishing and monetizing new API or everything. Now comes with an API gateway. Every cloud service provider has one. You can have an open source API gateway up and running in minutes for no cost at all.
So kind of enterprise great API management solutions have to grow. They have to expand their focus to address this challenge and or API management is quickly becoming just a part if probably the most important part of business oriented integration platforms, which cover all potential vectors for businesses, kind of integrating their data, integrating their business, and it processes to work seamlessly across the, the company borders. There have been a lot of new developments with regards to application design and development. So new architectures like microservices, serverless offerings from cloud service providers, hybrid clouds, multi-cloud all these new developments do not really fit well with the traditional API gateways. So they had to be some new types of API management and security platforms to be designed, to explain to those. And of course from the developer's point of view, that methodologists and best practices and frameworks have peer, which prescribe how to do this, how to do this development properly, or look up S if you are interested or in details modules about that.
Of course, we are talking about huge new compliance challenges and security challenges. I already mentioned that APIs are a major tech vector and of course of huge data breaches, which affect hundreds of millions of data sets, meaning hundreds of millions, of real people with their personal incentive information. And of course this information is now even more heavily guarded by regulations like GDPR or CPA or well in Europe. And now in America kind of protecting your APIs, insufficiently will become even costly for businesses just if only for compliance fines. And of course the whole market has changed with companies being purchased or just growing merging disappearing. I will address that in the later part of my presentation today. And finally, API security is officially a thing. Or again, as I mentioned earlier, four years, there has there have been many discussions, like why should we care about API security?
If you already have of web security, best practices cared by the very popular profit organization. All WP just opened the application security, whatever stands for PA. Sorry, I don't remember. But anyway, just a few weeks ago in late December, 2019 was finally published their own guide for API security, top 10 problems. And I will address some in this presentation as well. So yeah, API security is now officially a thing, which is something which every company has to incorporate into the security strategic. If you will, APIs in 2020 are no longer just technical interfaces. APIs are for many companies, the major channel of exchanging data with customers, with other businesses and even selling the data for profit or consuming the data or in exchange for, for money. So API is no longer a technical term. It's, it's a business thing. It's a processing, which has its own lifecycle. APIs are designed, developed, tested, deployed, operated, maintained, paged upgraded though this process is a it's continuous process, which is constantly influenced by new business requirements, new technologies, of course, new threats. So this is why everyone is now talking about API life cycle at the foundation of every API management and security strategy, API gateway, the traditional thing, which you used to probably buy or deploy a few years ago is no longer the only thing necessary for API or cycle management. Or, and again, we will be talking about this later.
More importantly, I would like to emphasize that API security is not as easy as API as rest APIs themselves are. Again, while there is no prescriptive API security measures defined as a part of rest paradigm, you still have to somehow take control of all the potential attack factors. I've just listed on the slide without going deeper into everyone. As you can see, kind of securing your API is a huge deal. It's a huge problem which covers multiple different services, or some are dealing with identity. Some are dealing with infrastructure and underlying network security. Some are dealing with data integrity, and of course, everything has to be constantly monitored and analyzed and ideally also of reacted to or mitigated in real time. So API security is complicated. And again, just recently foundation has published the API security top 10 and since is a pretty big deal for web applications.
And for people tasked with security applications, for me, kind of this new API security top 10 is like finally factor official recognition that yes, API security is just as important if not even more important than by publication security. And here on this slide, I've just listed those top 10, most common security challenges, which APIs are may be exposed to. And you can see the ones numbered one to five are all more or less related to identity and access management. The, one of the biggest problems you can have with your API is not having it authenticated and authorized properly. And if, if you are not validating every API transaction up to the strictest and fine grained security and access policy, you will end up leaking too much data. And if this data is sensitive, you end up having a data breach and a GDPR fine or CCPA fine, or whatever, of course, it's, it's not just a huge financial loss, it's reputational damage.
And it may just bring your business to a Hal because no, just have a look at those widely publicized data bridges over the last year, API API six to API, 10 are a little bit different. And again, I would like to stress the word different. They are all related to various aspects of your API. So mass assignment is obviously kind of, it's a problem related directly to API design, where you are, where the developers are not thinking about decoupling, the actual backend logic from the model exposed to the internet. This may end up affecting too much data with a simple API call or just kind of breaking the integrity of your backend data, if you will, which is probably not something which a firewall can fix for you. But again, this is a problem and are tools already available for helping your developers to address this security misconfigurations are, are most common with the underlying infrastructure, be it on-prem gateway or the cloud service. And again, there are tools available specifically to address these problems, injections.
These are API data API pay manipulations, which can break, can break your existing business logic. This is probably something which evolve can still help you with improper assets management is basically being blind about your existing APIs, not even knowing that they exist. And of course you cannot protect. You do not even know exists and insufficient. Look in the monitoring is basically not having or all the necessary security data collected for later. If something has something better already happened and you are tasked with forensic analysis and have absolutely no evidence to show to anyone, to the auditor, to police or court. And of course, ideally you have to do this in real time and be able to detect those problems in advance before they actually turn to into data breaches. So here, as I mentioned, API security, top 10 is finally almost official thing. So I am glad to say that late 2019 is the year of API security.
Finally, like 60 or 70 years after APIs have appeared, we finally have officially recognized that API security has to be implemented. And that just kind of jump directly to the leadership compass in case you do not know leadership compass is what publishes on the multitude of topics. These are a ENT or reports, which are compare solutions in a specific market segment. In this particular case, obviously API management and security, according to a various functional security market presence and many other criteria. And then just like other resources, we release our own list of vendors, which are the leading vendors, the champions. And we explain how each vendor actually affairs according to our criteria in detail. And you can access all our past leadership compass on that KC plus online platform. But then again, kind of the rest of today's webinar is showing you the findings of our latest leadership compass of API security on the slide.
We just a quick summary of how we do this. So yeah, we look at the market segment and define the key criteria for vendor selection. We contact all the relevant vendors and invite them to talk to us, to see their solutions, to understand their strategic visions. And then we, we let them fill in an extensive questionnaire and go their additional information, see each product in action, talk to the people responsible for actually designing and marketing the specific product to the world. And finally, we grade them and we create leadership, compass graphics and diagrams run the fact check to make sure that nothing has been ignored or somehow overlooked. And then they published them. And our API security leadership compass was published in December, 2019. And here are the key product dimensions. We actually measure all the vendors, all the products, security, it's a little bit tricky for kind of measuring security over security tool.
But if you will kind of security of the product itself is just as important. So if even we are talking about a security tool like API security product, it still has to be able to secure itself. It has to be temper proof. It has to provide role-based access controls, secure, authentication, and so on. So that's the security evaluation. The functionality is probably the most important one, how we actually rate the feature completeness of each product, cause it actually offer all the necessary capabilities and how well are those capabilities implemented? Integration is how well the solution is integrated across its individual parts, whether it's a set of the 20 tools or a fully integrated platform, does it have a unified UI? And so on interoperability means how well does it work together with third party tools? How about does it integrate? Does it implement standards? And so on final usability means how easy is it to use how efficient it is can and do you have to be an expert to, to operate it?
Hopefully not. In addition, we actually measure each vendor along to kind of more market related criteria. So how well does vendor far on the market? How many customers can it reach, which industries are targeted? Does it have a global presence? How much money does it actually earn from this particular tool or maybe from other components of its portfolio? Is it a startup or is it a mature player with two decades, a longer presence on the market? Does it have an ecosystem, meaning like, does it have a partner network or integrators service providers offering solutions on top of this platform? And finally, how well does it keep up with all the latest developments, technologies and customer requirements? How, how innovative each vendor is. And in the end we have four categories of leadership. We can declare a specific company, a product leader.
If it has highest ratings in the product related capabilities, we declare it a market leader. If it has the strongest market presence and ecosystem, even a small startup, which is only present on the market for short time can still be declared an innovation leader. If what the offer is really something groundbreaking and really could of both investing into in the long term. And finally, we have a combined excellence diagram, if you will, with all overall leadership and going back to the required core capabilities, these are the eight access or the functional access. We have measured each API management and security solution in our report, API left cycle management. As I mentioned, this is basically what people traditionally understand under API management. These are the tools, the capabilities to design your API, to publish it, to operate it in consistent man, to monetize it, to productize it, to give or to basically to operate it to as a product, if you will, deployment and integration is relevant according to fitting into the global ecosystem, how well does it support modern applications, microservices and hybrid clouds?
How well does it work with third party tools, developer Porwal and tools is a kind of related category is how well does it cater to the needs of the actual developers, people designing APIs structures, the people writing people, writing the code or people consuming existing APIs, your publishing, and so on scalability and performance obviously kind of APIs are basically a part of critical infrastructure. So APIs should never break. And this is where we estimate how well a particular solution is designed to, to fulfill this requirement. And at nexus control, obviously how well are the standards, protocols and policies are implemented to ensure that all the data, all the API methods are only accessed by legitimate consumers and not hackers. And so on API vulnerability management, this is more like a proactive assessment of an existing or even an upcoming API, ideally even before an API is developed and published.
There are tools which can assess, for example, open API definition file and see, yes, this API actually does fulfill all the necessary best practices in securing and security and access control and input validation. So on realtime security intelligence relates to all this monitoring and visibility into APIs, infrastructure themself, detection of anomalous, anomalous activities, and ideally dealing with those activities as well and integrity and threat protection is dealing with problems like denial of those are somehow relates to scalability and performance as well, I guess, but more like kind of being resilient against malicious attacks on API endpoints. And these are the vendors which ended up in our final version of leadership compass. Of course, these are by far not all the companies which we have identified as relevant previously. Some did not want to participate for any problems. Some have maybe I think we had one or two, which were a little bit unhappy with our ratings, so they decided to withdraw, but still in this list, you can see that we have a really interesting mix of huge established companies like Broadcom or three scale redhead by Google now and Ws O two with some really kind of small upcoming startups like 42 crunch or salt security, or like for example, TA is an open source project for API management.
So it's really interesting mix, which indicates that API management or security market is far from being kind of established. So it's still a long, a lot of interesting new developments going on. And although some companies have already disappeared, kind of merged into a lot companies already. This is, this process is still far from being over and this are without our overall leaders. As you can imagine, when you take everything into consideration, large established veteran players tend to be in the lead and ended up with a close tie between Broadcom, which is a huge American company, which is probably best known for producing a semiconductor product, but they actually have a large software business unit as well. And they actually own the layer seven trademark. The business, the one of the pioneer players in this market energy is basically now the business unit of Google cloud Ws tool is also a large and established open source based vendor from Sri Lanka and, and red high.
Well, these are, they are huge established vendors as well. Forum systems is probably the only one which isn't small, but to be five years ago in our first release of the leadership compass forum system was the only company which brave enough to call themself an API security vendor. And this is where they're still working on to deliver the broadest coverage of API security features in their products. Since idea was a surprise and find it's, it's actually a company based in Brazil. And apparently there they are the undoubted leader of the domestic API management market. And they offer a very capable and feature complete solution API management platform, unfortunately kind of almost unknown outside of Brazil until, but they are working to fix that. I hope to see the, the more prominent in other markets as well. And the other companies are smaller companies are among the challenges, meaning that they are, even if they offer excellent functional capabilities, they're probably not yet big enough and mature enough to win the, the market share they deserve.
So we will definitely be following their progress in the future. And again, we have no followers meaning that none of the companies with that exception, we are not going to be talking publicly about none of the companies actually bad enough not to fulfill of our rigorous evaluation criteria in the game. This show that there are the market is really, you know, the companies know what they do in this market. And little bit more details. This is, these are the product leaders again, or this is where we rate the functional capabilities of which vendor without actually looking at their financial results. And they can see, or this is where both companies large and small have the opportunity to shine. For example, although we do have all the large players here, companies like 42 crunch, which offer which actually one of the few startup windows offering proactive API security, meaning that they will take your API definition, the open API or swagger file and run it through the number of proactive checks to see whether your API which doesn't even exist yet.
It's only being designed at the moment, whether it's fulfills all the, the, the best practices and all the re the latest requirements for a secure and resilient API. And of course their platform can be easily integrated into developer tools like Ws code, for example, which meaning that the, this is it's always at the fingertips of every developer promoting this whole idea of shifting left of making security or a part of the earliest phases of the API life cycle management. The same applies to quite small companies like salt security. For example, they are offering a machine learning based kind of API security intelligence product, offering your, the idea that you can just deploy a solution in the basic mode, just listening to your existing traffic without any training or integration period already start getting a comprehensive visibility into all the bad things going on with your APIs companies like cloud identity acuity. They are focusing on identity and access capabilities, which are obviously another core requirement for API security. And as I mentioned earlier, they could have considered the half of the ORP API security top 10. So again, although not yet very big in the market share, they do hugely important or, and quite innovative developments in that area.
No, this is it basically about product leaders. You will, of course find all the details and detailed description of every participating vendor in the actual publication on our KC plus platform market leaders. I already mentioned, these are all the huge established vendors with the exception of 40 to crunch, which is just too young to actually measure their financial capabilities. The rest are the challenges as I mentioned. So they have not yet reached massive market share, but they're working on it and some are more successful. Some are not yet, but again, with time, they have all the chances to become market leaders as well. And these are our innovation leaders. So again, they are graded by the, not by the kind of the current functional capabilities or the breadths of the functional capabilities, but by offering you kind of the breakthrough, the innovative stuff, which probably no other vendors are yet being able to offer.
And again, we have a really interesting health and mix of vendors here. And I will probably be too to probably take too much time to mention every, every of specialty 42 mentioned salt security as well, UHG again, although it's now a part of Google cloud, so they have the long and well recognized history in this market and the market presence. They're still working hard on delivering really interesting capabilities with regards to flexibility basically, or I guess it's, it's difficult to explain without showing you the solution in action, which probably should just go and check at Google cloud, especially that they have, they have a free evaluation version available as well. Just basically everything is a building block. Every action is configurable, and you can have a huge flexibility in developing your own custom actions and then design your API policies from those actions as Lego building blocks.
And you have almost legal, like flexibility in it, red hat, three scale. And WSO two are especially important in my point of view because they are fully open source. So even if you are a tight budget, you don't have to spend a lot on implementing the very capable and very broad range, API management and security solutions. Some of the companies are a little bit struggling with that figure out are because probably they are focusing on a smaller niche market. Like for example, Navtech is really interesting vendor. If you are a windows shop, if you are running applications and infrastructure based on windows servers, then they are definitely probably the number one choice for your API security and management, but not everyone does, especially not in the cloud. So they are a little bit down. The in power of course is a huge established vendor, but they are only tackling the API security market recently.
So they have a lot to deliver in that regard analog by Ergon Ergon is a small, I think, squeeze based vendor. Again, they offer a really interesting tightly integrated identity focused suite. And then again are probably, they are not yet capable of kind of addressing a broad enough market set of market challenges and industry specific requirements to, to be reconsidered and innovation leader. And Thai, as I mentioned is another open source API management, API gateway and management solution, definitely looking forward to see them grow, but well, this will come this time. And finally, as I mentioned, the leadership compass text we'll offer, we'll give you an opportunity to see the individual coverage of each product. We have evaluated along the additional mattresses where you can see and understand which vendors are all performing underperforming in the market, meaning which vendors are kind of ensuring their market share mostly because of kind of cross selling with other products or north, which are actually working hard specifically in the API management and security field, the same applies to product innovation and innovation to market analysis.
Really interesting for you to, to design your long term strategy without risks of particular vendor, just going out of the market or losing the market position in the future. And finally, we actually rank each vendor each product along those two, sorry, along those eight functional areas. And on the right, you can see an example of such as spider chart. The fatter, the graph is the more coverage the product offers in those areas. Some unfortunately have only like a two-prong or three-pronged star shapes there, but again, if you are only looking for a specific set of capabilities, maybe those or shapes will be more interesting for you for your evaluation. And these are the vendors which we have mentioned in the final chapter, the leadership compass, as we always do, those are vendors to watch. They have not participated in our rating, but we consider them to be important enough to mention, anyway, obviously all the major cloud service providers have their own API gateways and API management solutions, as well as with a couple of companies like CARNA or tip co or MuleSoft, which are again more like traditional API management platforms, large established players who could not participate in our rating along with a bunch of specifically security oriented startups, like cloud vector, iCal, defense, and data theorum, which are more focusing on security intelligence, meaning they will monitor your APIs.
And we will let you know if something's wrong, helping you to react to those threats as quickly as possible.
And this is it basically from the leadership compass point of view. My last slide is just some general recommendation. So yeah, although API security as an issue is growing in, in its kind of perceived importance. It, there is still a lot to do to spread the world, to raise awareness for all the stakeholders that more investments, more long term strategy design is needed to implement a consistent API security across all the environments in your company. You have to know what you are protecting, because if you do not know that you have an API third party API or some legacy product, which exposes an API, it might be even your printer can expose an API to the internet and be a threat factor. Worsely enough for a hacker to exploit. We have seen some examples in that with our companies being exploited through like aquarium pumps, printers, and webcams, and so on.
It also belongs to the scope of API security. If you will, again, it avoid silo approach. I think about integrating across all those environments and systems think about automation because with such a huge level of complexity, you cannot expect to be able to deal with all those alerts in real time. Even if you are even able to collect all those alerts. I mean, even if you can recognize all the bad things happening within your API to structure, you just don't have time to react to each of those without some kind of automation, hopefully backed by AI or machine learning. And finally was bottom place. There is still no OneStop shop solution inside for API security. As you can see, even the top 10 threats for APIs are so diverse in their underlying nature, then you just don't have a tool which can address all those 10.
Even if someone does already claiming they can, or there are still just tools, you have to somehow be able to juggle them or integrate them just other tools from third parties. So it's still far from maturity. Look for the requirements for the capabilities you need the most and think about integrating those capabilities with existing tools. And this is basically, we still have some time left for questions. You can submit your questions, using the questions tool in the go to control panel. I will just stay online for a few minutes to give you the opportunity to type in your questions. And in the meantime, let, just remind you again that we do have some really interesting, interesting events upcoming this year. I really have a lot of services to offer to any potential customers, be it to end users looking for making the identity or security or even AI strategies, more robust, or for vendors helping to helping them to understand how their portfolios aligned with the market demands. We have a multitude of research formats available on that KC plus online platform. And here is some list of some of those research documents already published. And we have our first question. What about integration with consumer identity management solutions? So using consumer so CRM to issue all tokens? Well, that's a really good question because as I mentioned, integration is key here. If you are the thinking around, if you go around shopping for an API security solution,
No one will probably suggest you to buy cm solution, right? Maybe you even already have one in place, but it's not yet integrated to support API endpoint. Again, there are some vendors in the rating which are focusing specifically on the identity part, and there are some more mentioned in the leadership in the related research. And then again, so this is I'm afraid. I won't give you any specific names in the moment if you want some more kind support, talk to us directly again. Yeah. So integration is key here and ecosystem is key. Any further questions with regards to identity should probably have a look at least at the company called cloud entity and curity, those are, and of course Ws or is a well known well established identity management vendor. So you do have some specific results. What about splitting up internal and external APIs? That's that was the next question. I'm not sure I understand the usership about splitting here, because my point be that there is absolutely no difference between the level of protection you need for your internal and external APIs. And in fact, talking about APIs in such, in such terms is probably a strategic mistake.
If you are running, for example, a business application on a Kubernetes cluster on a AWS cloud, obviously you have your own APIs of the application, but you also have the Kubernetes management APIs and you have AWS management APIs, are those too internal or external? Do they somehow need less protection than your own your internal developed business API? Probably not. If anything, those are well established APIs with well known vulnerabilities. So they will be a much more probable target for attackers than Euro. Okay. Any further questions. And again, to add on that almost every vendor who is dealing in this area of API security intelligence, be one, those which we covered in the rating or the vendor to watch. And since I have this site open, I will probably mention being identity and data. The as a well known players in the regard, they will always talk to you, tell you that every API is important and every API is unique and there is absolutely no way into grouping those APIs somehow by infrastructure or environment, the only viable measurement for you should be the business risk.
This is it.
Well, I will give you one last minute for submitting your question. And again, let me just quickly remind you that you will find a multitude of related research on our website and the substantial part of that research is available absolutely free. You just have to create an account and apply for 30 day free access.
Definitely have a look at that top 10 API security criteria, because again, this is probably the first thing close to something which you can show to a season security pro and he will take it seriously because OWA is well, very established and known and respected foundation for kind of spreading awareness about web security and API security now as well. And since there are no for the questions and we only have a few minutes left in our allocated time slot, let me just say thank you very much for being with me today in this webinar, call webinar on API security. Hope to see you soon in one of our folder webinars or one of our events this year. Thank you very much and have a nice day.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Taking the Risk Out of Key Digital Business Enablers: APIs

Application Programming Interfaces (APIs) are among the foundations of modern digital business. APIs are found everywhere due to a rapid growth in demand to expose and consume APIs to enable new business models and connect with partners and customers, but APIs are also a security risk that…

Analyst Chat

Analyst Chat #136: Why Securing Microservices Isn’t as Straightforward as You Might Think

Microservices are increasingly becoming the new normal for enterprise architectures, no matter where they are deployed. Alexei Balaganski and Matthias discuss why doing this properly is essential and which aspects need to be considered, way beyond just talking about transport encryption or…

Analyst Chat

Analyst Chat #119: Composable Enterprises

Martin Kuppinger gives Matthias one of these rare insights into the process of creating and delivering the next great opening keynote of an event. With EIC 2022 being already in sight in May 2022 in Berlin, they talk about the composable enterprise and more perceived or actual buzzwords,…

Webinar Recording

Why Continuous API Security Is Key to Protecting Your Digital Business

In the era when data has replaced oil as the most valuable commodity, APIs have become an important logistical foundation of modern digital business. As a result, APIs have also become a popular target for cyber attackers, and therefore effective API security is essential. However, focusing…

Webinar Recording

API Management & Security Key to Digital Business Success

Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. APIs are found everywhere because they are key to creating new business models and connecting with business partners and customers. But opening up APIs is risky without the right…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00