Forem: Contxt

The Role of API Standards in Data Privacy

Sophie McKay — Wed, 13 Sep 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

In the world of APIs, open standards compliance represents the pinnacle of maturity. But why are these standards so crucial, particularly when it comes to data privacy? In this blog post, we'll explore the indispensable role of API standards in data privacy.

Why Open Standards Matter

At first glance, open standards might seem like just another regulatory hurdle to clear. However, they serve a deeper purpose: fostering interoperability, encouraging innovation, and enhancing data privacy. By adhering to these standards, organizations can ensure their APIs communicate effectively with others, unlock new avenues for growth, and most importantly, uphold the highest levels of data protection.

Data Privacy Is a Primary Concern

An executive from a global retailer reiterated the significance of data privacy, stating, "With APIs being such a fundamental part of our digital infrastructure, ensuring they adhere to privacy standards is crucial." APIs often handle sensitive data, making them attractive targets for cybercriminals. As such, it's vital that they conform to open standards, providing a secure foundation for data transmission.

Standards Compliance in Practice

So, how do companies navigate the often complex landscape of open standards? The CTO of a leading tech enterprise shared their approach: "We view compliance not as a burden, but as an opportunity to fortify our APIs, increase their interoperability, and enhance the security of the data they handle."

This shift in perspective can be a game-changer. By embracing open standards as part of their core strategy, organizations can proactively enhance their APIs' functionality and security, rather than reactively responding to regulatory requirements.

The Role of Contxt

Navigating open standards compliance can be challenging, which is where Contxt steps in. Our platform is designed to guide you through this complex process, offering the tools and insights necessary to ensure your APIs not only meet but exceed these standards.

The representative from an Oil and Gas multinational echoed the benefits of such a solution: "Contxt has been instrumental in helping us navigate the intricacies of open standards compliance, making the process much more manageable and less daunting."

The Bottom Line

The importance of open standards compliance, especially in relation to data privacy, cannot be overstated. It's not merely a box to tick off, but a critical component of a robust API strategy. As you climb the ladder of the API Context Maturity Model, remember the expert insights shared today and consider how your organization can benefit from a steadfast commitment to API standards and data privacy. After all, in the digital era, the security of your APIs is synonymous with the security of your data.

Stay tuned for our next blog post as we continue to unravel the complexities of the API journey.

Why Every Level of the API Context Maturity Model Matters

Jamie Beckland — Wed, 06 Sep 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

Welcome back to our ongoing exploration of the API Context Maturity Model. As we've navigated the diverse landscape of API maturity, it's become clear that each level, from open public API calls to open standards compliance, holds unique value and challenges. Today, we'll delve into why every level of our API Maturity Model is crucial to your organization's API security and effectiveness.

The Foundation: Open, Public API Calls

At Level 0, open public API calls form the bedrock of the API journey. An executive from a global retailer emphasized that while this level offers ease of accessibility and innovation, it's a double-edged sword, with potential data exposure risks. This level matters because it's where organizations learn the fundamentals of APIs and the inherent necessity for effective management tools, like Contxt.

Showing Progress: Authenticated API Calls

Next, we see authenticated API calls at Level 1. This level introduces a layer of security, helping to verify who is accessing the APIs. However, as the representative from an Oil and Gas multinational highlighted, it's not without its challenges, particularly around creating user-friendly authentication measures. This stage is vital as it emphasizes the importance of balancing user experience with robust security.

A Power Shift: Authorized API Calls

Moving to Level 2, the introduction of authorization adds another dimension to API security. Here, organizations learn to manage not just who can access APIs, but also what they can do. The Head of Engineering from a data scaleup shared the complexities of implementing granular access controls, underlining why this level is crucial for organizations to master.

Toward Clarity: Purpose and Use Defined

Level 3 ushers in a significant shift where organizations define the purpose and use of their APIs. As a finance expert recounted, this step is critical to ensure compliance, especially under regulations like GDPR. This level, therefore, is pivotal in helping organizations understand the importance of transparency and control in their API strategy.

The Culmination: Open Standards Compliance

Finally, at Level 4, organizations grapple with open standards compliance. This level is the zenith of API maturity, where the focus is on ensuring APIs are not just secure but also interoperable and forward-compatible. The CTO of a tech enterprise underscored the challenges and the imperative nature of adopting these standards.

The journey through the API Context Maturity Model is more than just a progressive roadmap. It's a recognition that each level presents opportunities for growth and learning. As organizations move through these stages, they learn to manage APIs more effectively and securely, preparing themselves for the ever-evolving landscape of API-driven innovation.

Throughout this journey, Contxt is your trusted partner, providing the tools and insights needed at each level. Remember, every level matters because each one adds a layer of understanding, security, and effectiveness to your API strategy, leading to a more robust, compliant, and future-proof API ecosystem.

New U.S. Regulations Highlight the Importance of Collecting Personal Data Purpose and Use

Jamie Beckland — Thu, 31 Aug 2023 15:00:44 +0000

Today, the White House hosted a roundtable on data broker practices that harm consumer privacy, in particular, selling “credit header data,” which can contain sensitive personal information such as name, Social Security number, and date of birth. Simultaneously, the Consumer Financial Protection Bureau (CFPB) announced it will propose new regulations to limit the operations of data brokers under the Fair Credit Reporting Act (FCRA). This move aims to safeguard consumer rights and privacy while bringing data brokers under more stringent control.

Data brokers vacuum up and sell personal information, often without our explicit consent, and sometimes even without our knowledge or awareness. These brokers often rely on data with an unknowable chain of custody, mixing together data from a variety of sources, and often relying on blanket permissions from parties that are not authorized to grant them.

The CFPB’s initiative reinforces the need for high quality data collection practices, in particular, the need to collect purpose and use consent alongside data attributes. Many digital product owners would never consider selling their customer data, but the reality is that personal data often leaks from poorly constructed and monitored APIs.

Internal and external teams often have access to sensitive data over APIs, including marketing and data analytics teams. These new rules further highlight the need to limit customer data exposure with better tooling.

This comes on the heels of the Securities and Exchange Commission (SEC) adopting new rules earlier this month that require companies to disclose cybersecurity incidents on Form 8-K within just four business days.

There’s no question the regulatory cost of mishandling sensitive customer data is increasing.

For most API product teams, the challenge has been they don’t have a good understanding of API misconfigurations; and they can’t control data flow at a granular enough level.

At Contxt, we know that trust starts with discovery. Our first step is always to understand what data actually flows over your APIs.

Once we have established a baseline, we empower you to collect and document the intended purpose of data usage. This aligns with the CFPB's goal of ensuring companies comply with authorized data uses, as specified by the FCRA.

Then, Contxt's capabilities extend beyond data collection and reporting. We enable you to enforce proper usage downstream, ensuring that the data's purpose remains consistent throughout its journey.

To learn more about Contxt's capabilities and how we can help your business prepare for the dynamic regulatory environment, sign up for an account for free.

Mapping Your Journey to API Maturity With Contxt

mayurContxt — Wed, 30 Aug 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

In the dynamic world of technology, companies are racing to harness the power of APIs to innovate and deliver seamless experiences. However, achieving API maturity is a journey that requires navigating many complexities and challenges.

Our series, "Ask the Experts: Understanding the API Context Maturity Model," has garnered insights from industry leaders across the globe, shedding light on the practicalities of progressing through the different levels of API maturity. What resonates through these conversations is the necessity for a strategic partner to guide this journey, which is where Contxt can help.

Navigating Open, Public API Calls

Starting at Level 0 of our API Context Maturity Model, we see the use of open, public API calls. These are the first steps into the API world, offering access to data and services. However, an interviewee from a global retailer highlighted the inherent risks in this level, citing challenges in managing data exposure. Contxt helps organizations strike the perfect balance between openness and security by providing visibility and control over API usage.

Advancing With Authenticated API Calls

Level 1 introduces authentication to APIs, which addresses some of the security concerns of Level 0. An executive from an Oil and Gas multinational reflected on the challenges in implementing robust and user-friendly authentication measures. Contxt assists by ensuring authentication is not a stumbling block but a stepping stone to higher API maturity levels.

Empowering With Authorized API Calls

At Level 2, APIs become more refined with the introduction of authorization. While this enhances security, the Head of Engineering at a data scaleup mentioned the complexities in implementing fine-grained access controls. Contxt simplifies this by offering intuitive tools to manage API permissions effectively.

Defining Purpose and Use

As organizations reach Level 3, the need for transparency and control becomes paramount. A finance sector expert shared experiences of grappling with purpose and use definitions for APIs, crucial for compliance with regulations like GDPR. Contxt's unique capabilities provide the much-needed clarity in defining the purpose and use of APIs, ensuring organizations stay on the right side of compliance.

Embracing Open Standards Compliance

Finally, at Level 4, we explore the adoption of open standards, a cornerstone of modern API development. A CTO from a technology enterprise echoed the challenges in adopting and maintaining compliance with these standards. Contxt aids organizations to not only understand these standards but also to implement them effortlessly.

Through the course of these conversations, it's evident that the journey to API maturity is one of continuous evolution, with new challenges at each level. At Contxt, we get to be a reliable partner, guiding organizations at each step of this journey, transforming challenges into opportunities for growth and innovation. Stay tuned to our blog as we delve deeper into each level, sharing more insights and practical solutions from industry experts and the Contxt team.

Ask the Experts: Understanding the API Context Maturity Model - Level 4 - Open Standards Compliant API Calls

Jamie Beckland — Wed, 23 Aug 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

Welcome to the final stage of our API Context Maturity Model journey - Level 4, where Open Standards Compliance reigns. It is at this stage that organizations reach the pinnacle of API maturity, where the established API ecosystem adheres to recognized industry standards.

In order to share key comments from the hundreds of technology leaders we consulted to develop the Context Maturity Model, we have anonymized their thoughts to give you the most unfiltered view.

Adhering to open standards means the API calls are designed and operated in accordance with accepted industry best practices. These standards include mechanisms to ensure secure data transmission, robust authentication protocols, and well-defined data structures.

A technology lead from a global financial services firm shared, "Adopting open standards helped us establish a common language and baseline for security within our API infrastructure. It's like a safety net that ensures we're following best practices."

However, transitioning to Level 4 is not without its challenges. It demands an in-depth understanding of the standards, significant alignment effort, and continuous monitoring for adherence.

A cybersecurity executive from a multinational logistics company explained their journey: "It was a massive task to align our existing API landscape to open standards. We found a few gaps during the transition, but it also helped us to uncover some hidden vulnerabilities."

Achieving Level 4 maturity not only improves API security but also enhances interoperability, a significant advantage in today's increasingly interconnected world. It is the realization of a robust, secure, and efficient API ecosystem.

While it's important to aim for Level 4 maturity, the journey through each level provides invaluable insights. With each step, organizations become more aware of their API ecosystem, uncovering vulnerabilities and enhancing security measures.

This marks the conclusion of our 'Ask the Experts' series on the API Context Maturity Model. We've examined each level, the benefits, and challenges involved, and shared expert insights. No matter where you are in your API journey, remember that the aim is continuous improvement and security. As always, we encourage you to reach out with any questions or thoughts on your API journey.

Ask the Experts: Understanding the API Context Maturity Model - Level 3 - Purpose and Use Defined API Calls

mayurContxt — Wed, 16 Aug 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

Continuing with our journey up the API Context Maturity Model, we've arrived at Level 3 - Purpose and Use Defined API Calls. As our API usage expands, so does the complexity and potential security concerns. Now, we take our API security strategy a step further by focusing on the defined purpose and use of each API call.

As a reminder, we have distilled key comments from the hundreds of technology leaders we consulted to develop the Context Maturity Model, and we are sharing their thoughts anonymously to give you the most unfiltered view of the current state of APIs.

Defining the purpose and use of API calls may seem intuitive, but it is a level that many organizations struggle to reach. At Level 3, each API call is associated with a specific purpose and use. This ensures that the system only allows API calls that match the defined purpose and use, further reducing the risk of data leaks or misuse.

One IT leader at a global retailer conveyed how defining purpose and use made a difference. "Once we began associating specific uses with each API call, we gained a better understanding of our data flows. It also helped us spot abnormal behaviors much quicker."

However, there are challenges as well. Defining the purpose and use for each API call requires a detailed understanding of the business operations and comprehensive mapping of data flows, which can be a complex process for larger organizations.

A CISO of a multinational healthcare company described their journey: "Mapping our data flows and aligning them with our API calls was quite a challenge. But the visibility it provided in terms of our data processing activities was worth it."

As organizations start defining the purpose and use of their API calls, they take a significant step toward achieving more secure and manageable API ecosystems.

In the next post of this series, we will explore the final level of the API Context Maturity Model - Level 4, where organizations achieve compliance with open standards. Stay tuned to learn about the benefits and challenges that come with reaching the peak of API maturity. As always, we encourage you to reach out with any questions or comments on your journey to better API security.

Ask the Experts: Understanding the API Context Maturity Model - Level 2 - Authorized API Calls

Jamie Beckland — Wed, 09 Aug 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

Welcome back to our 'Ask the Experts: Understanding the API Context Maturity Model' series. We've made our way up from open public API calls to authenticated API calls, and now we're ready to unpack Level 2 - Authorized API Calls. As a reminder, we have distilled key comments from the hundreds of technology leaders we consulted to develop the Context Maturity Model, and we are sharing their thoughts anonymously to give you the most unfiltered view of the current state of APIs.

After establishing an authentication system at Level 1, the next challenge for organizations is to establish an authorization system. With authorization in place, API calls can be made by authenticated users with specific permissions. This reduces the risk of users accessing data or functions that they aren't supposed to, adding another layer of security and control to the API environment.

A CTO of a fintech start-up shared their experience moving to Level 2. "After incorporating authentication measures, we soon realized the need for further granularity in API access. We needed to ensure that authenticated users could only access data and functions relevant to their roles. Transitioning to authorized API calls helped us achieve that."

This level of authorization is crucial in environments where data sensitivity varies or where roles differ significantly in their access requirements. For instance, an executive at a multinational banking corporation highlighted how implementing authorization measures was a game-changer in their highly regulated industry.

They said, "In our industry, data sensitivity varies enormously, and so does role-based access requirements. With authorized API calls, we were able to ensure that our employees could access only the data and functions that were pertinent to their work. This move dramatically improved our data security posture."

However, like every step in the maturity model, Level 2 comes with its own set of challenges. The more granular the access control, the more complex the system can become. Organizations often struggle with managing a large number of roles and permissions, which can lead to misconfigurations.

In our next post, we'll delve into Level 3 - Purpose and Use Defined API Calls, where we will discuss how organizations can deal with complex role and permission challenges by defining the purpose and use of each API call.

Till then, stay tuned, and as always, feel free to reach out for more insights on API security and best practices.

Ask the Experts: Understanding the API Context Maturity Model - Level 1 - Authenticated API Calls

mayurContxt — Wed, 02 Aug 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

Welcome back to 'Ask the Experts: Understanding the API Context Maturity Model.' In our first post of the series, we explored the foundation of the model: Open, Public API calls. Now, we will move up a rung on the ladder to Level 1 - Authenticated API calls. As a reminder, we are distilling key comments from the hundreds of technology leaders we consulted to develop the Context Maturity Model, and we are sharing their thoughts anonymously to give you the most unfiltered view of the current state of APIs.

As organizations become more aware of the inherent security risks associated with entirely open APIs, they begin to implement authentication measures. API calls at Level 1 require valid credentials, adding a basic layer of security and control over who can access the API.

Drawing from our expert interviews, a CIO from a healthcare tech firm shared their experiences navigating Level 1. They remarked, "The addition of authentication measures provided a much-needed layer of security. It marked our first step towards a more secure API environment, but it quickly became clear that authentication alone was not enough."

While authenticated API calls significantly reduce the risk of unauthorized access, they do not provide granular access control, i.e., what specific data or functions a particular user can access. Therefore, while Level 1 improves upon the openness of Level 0, it still poses limitations.

An executive from a data scaleup echoed this sentiment. They stated, "Despite implementing authentication, we still faced incidents where users could access more data than necessary. The issue was not about who could access our API but about what they could access once they were in."

It's important to note that these limitations aren't indicative of any failing at Level 1. Instead, they highlight the incremental nature of the API Context Maturity Model. Each level is a step forward, addressing limitations of the previous level while setting the stage for more advanced practices.

Join us for our next installment where we'll delve into Level 2 - Authorized API Calls - where we will discuss how organizations can enhance their security measures by controlling not just who can access the API, but also what they can access.

As always, if you're looking for more insights on API security and best practices, we're here to help. Until next time!

Ask the Experts: Understanding the API Context Maturity Model - Level 0 - Open, Public API Calls

Jamie Beckland — Fri, 28 Jul 2023 09:00:00 +0000

By: Mayur Upadhyaya & Jamie Beckland

Welcome to our new series, 'Ask the Experts: Understanding the API Context Maturity Model.' In the course of developing the Context Maturity Model, we spoke with hundreds of technology leaders across a variety of industries. In this series, we hear from some of these experts in their own words. Throughout this series, we will share their candid thoughts and feedback anonymously, to give you the most unfiltered view of the current state of APIs.

Our journey begins at Level 0 - Open, Public API Calls. APIs at this level are accessible to anyone and can be called freely. They serve as the foundation for organizations entering the realm of APIs, creating an open-ended environment for data sharing but also posing significant potential risks.

A technology lead at a multinational oil and gas company offered insight into their experience at this level. He noted, "APIs initially seemed like a simple way to share data and establish connections. However, we quickly realized that without proper control measures, our exposure to risk was far greater than necessary."

These sentiments underscore the trade-offs businesses must consider at Level 0. While open, public API calls can accelerate digital transformation, they also emphasize the importance of implementing secure API practices from the outset.

Another perspective came from a manager at a global retailer, who described an incident where public access to an API led to its misuse and unnecessary exposure of a significant amount of data. This experience further highlights the potential pitfalls at this level.

Open, public API calls are incredibly useful, but they should only be used once you have confirmed that there is no risk of proprietary or sensitive data leaks.

As we progress through the Context Maturity Model in subsequent posts, we will explore how to navigate these challenges and adopt more secure and sophisticated API practices. The journey from open, public API calls to achieving open standards compliance has many considerations, but by understanding each level's unique challenges, your organization can confidently navigate the path to API maturity.

Join us in our next post as we delve into Level 1 - Authenticated API Calls. As always, if you'd like more information on API security and best practices, feel free to reach out. We're here to help!

Navigating the Evolving API Landscape: Insights From the New Stack and the API Context Maturity Model

mayurContxt — Wed, 14 Jun 2023 23:00:00 +0000

In a recent article published by The New Stack, Eric Newcomer poses an intriguing question: "API Management Is a Commodity: What’s Next?" His insightful analysis prompts a thoughtful examination of the API industry's trajectory. In response, we've chosen to align these observations with the stages of the API Context Maturity Model, providing a comprehensive roadmap for businesses seeking to navigate the complexities of API management effectively.

APIs as a Strategic Product: Level 0 & 1 of the Maturity Model

Newcomer's argument begins with a significant claim: API management has reached a level of commoditization. His assertion reflects a mature industry where APIs are no longer viewed as novel innovations but as essential components of a business's digital strategy. This perspective aligns with Level 0 of the API Context Maturity Model, which denotes APIs that are open, public, and require minimal information before delivering a response.

However, Newcomer also recognizes that the future of API management will rely heavily on security and accountability measures. The need for APIs to deliver personalized data and the increasing importance of monitoring API usage signifies a transition to Level 1 of the Maturity Model. Level 1 introduces authenticated API calls that provide requester-specific information, a necessity in today's digital ecosystem.

At this juncture, Contxt can provide a significant boost. Tools like Contxt help businesses discover all APIs across their enterprise, implement integrated change control mechanisms, and manage authentication requirements, helping navigate the transition from Level 0 to Level 1.

APIs as Business Infrastructure: Progressing to Level 2

In his article, Newcomer goes a step further, painting a picture where APIs form the foundation of a business's infrastructure. Such a scenario corresponds to Level 2 of the Maturity Model, a stage where API calls transition from being merely authenticated to becoming authorized.

At Level 2, APIs carry specific permissions, adhering to precise requester expectations. Security becomes paramount, with businesses needing to consider data location regulations and proactive classification of sensitive data. Here, Contxt’s security features can play a critical role, providing robust data risk management capabilities to maintain compliance and protect data integrity.

APIs in Heavily Regulated Sectors: Embracing Level 4

Newcomer spotlights the financial sector's increasing reliance on APIs, a trend indicative of the progression to Level 4 of the Maturity Model. This level denotes API calls that need to comply with rigorous public standards, a requirement often observed in heavily regulated sectors like finance.

Level 4 brings unique challenges such as proving consistent compliance and maintaining detailed API documentation. Contxt offers solutions to these challenges with features designed for auto-documentation and demonstration of compliance, enabling businesses to thrive in this regulatory environment.

APIs and Event-Driven Architectures: Moving Towards Level 3

In the future landscape envisioned by Newcomer, event-driven APIs and Large Language Models (LLMs) take center stage. These innovations correspond to Level 3 of the Maturity Model, where APIs are defined based on purpose and use.

In this context, the exchange of data becomes dynamic, evolving to meet the specific requirements of each request. Such a shift requires advanced tools capable of tracking and managing data flows in real-time. Contxt's robust capabilities, designed to effectively handle dynamic data exchanges, provide a significant advantage as businesses transition towards Level 3.

Bridging Thought Leadership and Industry Practice

The alignment of the API Context Maturity Model with Newcomer's industry trends provides a practical roadmap for organizations to navigate the increasingly complex world of API management. As the industry moves towards an era where APIs transition from being technical tools to strategic business assets, businesses will require robust and flexible solutions to ensure seamless, secure, and compliant API operations.

Newcomer's commentary, backed by our practical alignment with the API Context Maturity Model, prepares businesses for this transition, highlighting the steps they can take and the tools they can leverage, like Contxt, to meet the demands of a rapidly evolving API landscape.

Introducing the API Context Maturity Model

Jamie Beckland — Mon, 12 Jun 2023 23:00:00 +0000

By: Mayur Upadhyaya and Jamie Beckland

Every API call has context around it.

Who is making the API call?
What data are they requesting or attempting to post?
Is that data public or private?
Do we need to check with anyone else before permitting the request?
Does the data transfer have any legal or ethical considerations or constraints?

Our goal should be to provide the right response, in the right context, every time.

But, for the past decade, APIs have moved at the speed of business. APIs have grown so quickly because they have proven their value in creating flexibility and functionality. The cost, however, has been with inconsistent security, privacy, and performance rigor.

That’s why there have been so many data issues, breaches, and leaky APIs recently. Bad actors know that the APIs are the weak link in protecting your customers’ and your business’ data assets.

Our approach to API context maturity comes from understanding that you are building the plane while you fly it. You need to move quickly, and enable teams to deliver business objectives. One approach is to slow teams down by asking them to be experts in security and privacy (in addition to all of the other functions that they need to be experts in).

We think you get better outcomes faster when you ensure that there are adequate guardrails, so teams can’t make egregious mistakes, while maintaining velocity.

Then, incrementally, we can raise the guardrails to enforce higher standards for use cases where more protection is necessary.

The API Context Maturity Model breaks down building and maintaining APIs with an increasingly sophisticated understanding of the context surrounding the API call.

Level 0 - Open, public API calls. These calls require no information from the requester before delivering a response. This may be totally appropriate for many (or most!) API calls. An API call that delivers weather for a location, or the cost of a flight, may not need any special protections, and Level 0 works well. It is fast and efficient, and ensures that the barrier to deploy and maintain these services is as low as possible. However, if an API call contains personal or sensitive data, or if it requires authentication, Level 0 is not appropriate.

Level 1 - Authenticated API calls. These calls have an understanding of who the requester is, and can provide information specific to that requester. There are lots of reasons that an API call should be authenticated. Perhaps a customer wants to know information about their account. Or you need to monitor the usage of the API call, so you need to understand how much each user is calling the service. Or there is proprietary pricing and inventory information that you only want to expose to certain employees and partners. Regardless of the reason, any API that needs to be authenticated should have validation of authentication every time it is delivered. There are many ways to authenticate an API call, and different levels of authentication should apply to different APIs.

Level 2 - Authorized API calls. These calls have specific permissions and requester expectations attached to them. For example, maybe you offer different bulk pricing discounts to different partners, based on the level of commercial relationship. You want to make sure that pricing information is not shared with every user and system from the partner, but customize the response based on the authorization scope. Another example is when you have different services calling the same API endpoint, and want to return different information. If your get_customers endpoint is used by your internal analytics tool, you may want to share birthdate, mailing address, and other personal information. But, when your advertising partners call that same endpoint, you need to reduce the scope of the payload to avoid sharing PII.

Level 3 - Purpose and use defined. These calls rely on an understanding of why and how the data in the payload will be used. Perhaps the subject of the data request needs to consent for the requester to have the data, or to use the data in certain ways. You may need to collect consent from a patient to share their health data with their doctor or other provider. Or, with proper customer consent, you actually can share PII with advertisers.

Level 4 - Open standards compliant. These calls are critical to core business operations, and as such, they need to conform to rigorous public standards. In many markets, standards that have been developed and hardened in public working groups are now being adopted as regulatory requirements for operations. Regulators in finance, health, and other areas may want to periodically review API calls to ensure compliance.

The API Context Maturity Model requires an understanding of each individual API call; and also of the specific circumstances of that call. As APIs move through the levels in the model, the complexity to and assurance does not go up linearly. It is much more complex to interpret changing regulations than simple authentication.

But, the framework provides a glidepath for Enterprises to incrementally improve their risk posture, and demonstrate conformance quickly.

Implementing this maturity model becomes dramatically easier when you have an accurate understanding of your existing APIs, because the highest risk becomes clear quickly.

Guided Journey: Leveraging Identity Standards for API Security and Mitigating OWASP API:2019 Flaws

mayurContxt — Sun, 11 Jun 2023 23:00:00 +0000

Building on an insightful dialogue at The European Identity and Cloud Conference, I had the privilege of sharing the stage with industry experts Ingo Schubert (RSA), Ward Duchamps (Thales Digital Identity and Security), and Mark Haine (OpenID Foundation). With stimulating questions from Martin Kuppinger and Mike Schwartz, we dug deep into contemporary topics. Continuing from our previous panel-related post, this post presents the next chapter of our in-depth conversation.

In today's digital landscape, APIs (Application Programming Interfaces) are the cornerstone of business communication. They enable software applications to interact, opening up vast possibilities for integration and innovation. However, this also introduces an array of security vulnerabilities. To fortify defenses and mitigate these risks, we can harness the power of identity standards like FAPI2 (Financial-grade API). In this guided blog post, we'll explore the role of FAPI2 in addressing the flaws highlighted by the Open Web Application Security Project (OWASP) in their API:2019 report.

Step 1: Understand the Role of Identity Standards in API Security

Identity standards provide a framework for secure data sharing and interoperability. According to Mayur Upadhyaya, Co-founder & CEO of Contxt, "Standards like OpenID Connect and FAPI2 play an integral role in ensuring safe data sharing and enabling interoperability."

Action Item: Review your organization's current API security strategy. Determine whether and how identity standards are currently being used.

Step 2: Address OWASP API:2019 Flaws With FAPI2

OWASP's API:2019 report identifies the top ten API security risks. To combat these, FAPI2 offers valuable guidance. As Martin Kuppinger, Principal Analyst at KuppingerCole, puts it, "FAPI2 provides guidelines that help developers avoid common pitfalls associated with the OWASP API:2019 flaws. It's like a blueprint for secure API development."

Action Item: Analyze the OWASP API:2019 report and identify any vulnerabilities in your API that align with the report's top ten risks. Consider how FAPI2 guidelines can be used to address these vulnerabilities.

Step 3: Choose the Right Standards

Not all standards offer the same level of security. "It's essential to choose one that meets your organization's specific needs and industry requirements," advises Michael Schwartz, Founder of Gluu.

Action Item: Assess your organization's needs and industry requirements. Based on these, determine the most suitable identity standards to implement.

Step 4: Balance Security and Usability

While robust API security is paramount, it shouldn't compromise usability. Ingo Schubert, Global Cloud Identity Architect at RSA, echoes this sentiment, "We must balance security with usability. Overly complex security measures can deter users, while lax ones can lead to security breaches."

Action Item: Evaluate your current API security measures. Look for opportunities to enhance security without negatively impacting usability.

Step 5: Contribute to the Development of Standards

Participating in the development of standards like FAPI2 allows organizations to influence the security landscape. Mark Haine, Distinguished Engineer at the OpenID Foundation, encourages organizations to take an active role, "API security is a shared responsibility."

Action Item: Explore opportunities for your organization to contribute to the development of identity standards.

Step 6: Implement a Layered Security Approach

Finally, a layered security approach, incorporating standards like FAPI2 as one of many defenses, can bolster your API security. Alejandro Leal, Research Analyst at KuppingerCole, and Ward Duchamps, Senior Product Strategist at Thales Digital Identity and Security, both endorse this strategy.

Action Item: Design a layered security strategy for your APIs. Ensure that the use of identity standards is an integral part of this strategy.

By following this guided journey, organizations can effectively leverage identity standards like FAPI2 to secure APIs and mitigate the flaws highlighted in the OWASP API:2019 report.