API Security: Applying the Separation of Concerns Design Principle

You may have been wondering what a clever person like Edsger Dijkstra would have considered the best way to approach API security. You aren't the only one. Start by checking out our latest video on API security before we dive into what’s needed for API security and identity integration with business applications.




Security professionals, API architects and IAM owners are under pressure to increase agility for their organization while offering engineering freedom at the same time. Sounds simple, right? Except it’s not. There’s widespread fear of application logic breaking due to future security updates if security isn’t externalized, which it often isn’t.

What helps is applying a design principle called Separation of Concerns, commonly attributed to computer science pioneer Edsger Dijkstra. Generally speaking, by separating security from application logic you create a greater level of simplification for your infrastructure as well as your developers.

An organization’s business aspects, and their applications, of the system can evolve largely independent of security considerations. Likewise, security aspects can evolve freely without impacting the business. The benefits are twofold and go hand in hand.

API Security: Separate Your Concerns

APIs take the same approach in terms of security – you want and need the ability to separate API security from application logic. In the digital world, many critical services are delivered via APIs, however securing them should not be a task for the business developer alone.

A ForgeRock customer within financial services struggled to expose a myriad of APIs delivered by multiple business units. They needed to expose the business REST APIs internally and with partner organizations around the globe.

In order for business teams to fully focus on application logic, the separation of concerns strategy requires an out-of-the-box API security solution. This solution must provide the necessary security infrastructure consumable as a service and deployable with modern devops technology (such as Docker and Kubernetes).

This is where ForgeRock provides a solution. We help organizations secure their APIs through their identity infrastructure using an API security gateway. ForgeRock Identity Gateway can be utilized to front business APIs and offload access management such as security token and scope validation. When our customer adopted ForgeRock Identity Gateway, they ultimately gained agility and reduced the amount of maintenance required during updates.

The Takeaway Here?

Separation of concerns design is necessary for API security and identity integration with business applications. Check out our latest API Security video above  to learn more.

Curious about how ForgeRock Identity Gateway works on a deeper level? Check out our guide here to learn how you can quickly enforce authorization by leveraging Identity Gateway as an OAuth2 resource server.

Learn More About ForgeRock Access Management Solutions


For other questions about our Identity Gateway Solution, visit us here.