API Security: Applying the Separation of Concerns Design Principle

You may have been wondering what a clever person like Edsger Dijkstra would have considered the best way to approach API security. You aren't the only one. Start by checking out our latest video on API security before we dive into what’s needed for API security and identity integration with business applications.




Security professionals, API architects and IAM owners are under pressure to increase agility for their organization while offering engineering freedom at the same time. Sounds simple, right? Except it’s not. There’s widespread fear of application logic breaking due to future security updates if security isn’t externalized, which it often isn’t.

What helps is applying a design principle called Separation of Concerns, commonly attributed to computer science pioneer Edsger Dijkstra. Generally speaking, by separating security from application logic you create a greater level of simplification for your infrastructure as well as your developers.

An organization’s business aspects, and their applications, of the system can evolve largely independent of security considerations. Likewise, security aspects can evolve freely without impacting the business. The benefits are twofold and go hand in hand.

API Security: Separate Your Concerns

APIs take the same approach in terms of security – you want and need the ability to separate API security from application logic. In the digital world, many critical services are delivered via APIs, however securing them should not be a task for the business developer alone.

A ForgeRock customer within financial services struggled to expose a myriad of APIs delivered by multiple business units. They needed to expose the business REST APIs internally and with partner organizations around the globe.

In order for business teams to fully focus on application logic, the separation of concerns strategy requires an out-of-the-box API security solution. This solution must provide the necessary security infrastructure consumable as a service and deployable with modern devops technology (such as Docker and Kubernetes).

This is where ForgeRock provides a solution. We help organizations secure their APIs through their identity infrastructure using an API security gateway. ForgeRock Identity Gateway can be utilized to front business APIs and offload access management such as security token and scope validation. When our customer adopted ForgeRock Identity Gateway, they ultimately gained agility and reduced the amount of maintenance required during updates.

The Takeaway Here?

Separation of concerns design is necessary for API security and identity integration with business applications. Check out our latest API Security video above  to learn more.

Curious about how ForgeRock Identity Gateway works on a deeper level? Check out our guide here to learn how you can quickly enforce authorization by leveraging Identity Gateway as an OAuth2 resource server.


For other questions about our Identity Gateway Solution, visit us here.

Who Is Joachim Andres?

Who’s Joachim? As Product Management Director with 21 years of experience in the identity industry, Joachim helps organizations bridge their business to modern digital identity - and make the journey an easy downhill ride. In his leisure time, however, Joachim enjoys the challenge of cycling uphill.

Recent Posts:

Augment Your Legacy IAM

Have you ever run into a situation where you know exactly what you have to do to solve the problem but can’t do it?

Modernize IAM for Government: A Real World Example

I recently had the chance to do a podcast with my friend and colleague Tommy Cathey, ForgeRock RVP of Public Sector. Tommy and I have worked together for years, and I am thrilled that he is bringing his deep public sector knowledge to ForgeRock (and this podcast).

How to Compare Digital Identity Providers for CIAM

Comparing and selecting digital identity providers for CIAM (customer identity and access management) is a daunting task. With the fast-paced nature of business and technology today, you need to ensure that you’re not only able to meet all your current requirements, but those to come.