APIs are windows into the Enterprise and need to be secured at every points of engagement between end user (consumer) and Enterprise crown jewels. In the API world, humans and machines seamlessly interact with each other and blend the trust boundaries between customers, partners and service providers. It is becoming increasingly hard to differentiate good human, authorized machine (apps) and cybercriminals who may exploit a threat vector via API, mobile or cloud platform
to access crown jewels. A way to address this is:
-- An adaptive security system to manage and secure all points of engagement Human->Apps->Devices->Network->APIs i.e. to prevent and detect and respond to threats. This supports a defense-in-depth strategy with security for all layers.
-- A fine granular authorization capability that is data centric and that supports various levels of access control based on the trust domain of interaction
-- A data driven security service that combines machine learning to detect patterns of anomalies and that can interface with other security products in the eco-system. e.g. Integration with Splunk or other SIEM tools
-- A battle tested platform in parity with private cloud at government scale:
An enterprise ready platform would enable agencies to plug into enterprise security services for encryption and key management. This provide an end-to-end security platform that protects the data from cybercriminals. Enterprise security architecture can support secure integration of mobile and cloud services to isolate private APIs from public APIs and services.